They do need certs but already have them. Issued by GoDaddy as part of that service. See for yourself with: SSL Checker
Well, maybe. What service will terminate HTTPS at "farms"? If "farms" was a server, like caddy or nginx, you could setup virtual hosts in those to handle the HTTPS and route to your other services (based on port number presumably). Each of those virtual hosts would need to know about cert.
And, you need to change the URL at the forwarding to be an HTTPS URL. Can that be done? I don't use GoDaddy so can't check but I assume so.
There are better ways to structure this. Are you sure your ISP does not support port 80 inbound to you? (does it use CGNAT for example?) Can you get a fixed IP? It would really simplify things in the long run.
What about port 443. Does your ISP allow inbound on that port?
As for GoDaddy and DNS API restrictions, see: Getting unauthorized URL error while trying to get cert for subdomains - #5 by adorobis