If the DNS API you use does not have a way to track whether all the anycast edges have the new zonefile, then you can simply wait for a longer time to allow the propagation to occur. It's a pretty reliable hack.
There isn't. There's no transition out of the invalid state of an authorization.
Yes, because Let's Encrypt have not implemented pre-authorization.