I already shared my idea, and you indicated that was not the case. Did you test creating a DNS record with that token to confirm its permissions?
I use DNS-01 challenge with Cloudflare, but I don't use certbot with that method, so I have no reference environment from which to offer any further suggestions.