Fullchain.pem contains an invalid Intermediate

That is absolutely normal and expected. The expired intermediate provides support for older Android devices. Most more modern devices will build a trust chain from the R3/ISRG intermediate to a trusted ISRG CA root and stop there. You can see these two paths using a test site like SSLLabs.com.

Let's Encrypt also offers a "short chain". Certbot versions 1.12 and later support that with the preferred-chain option. You can read more about the pros and cons of each here