Through the use of my psychic powers you are directly or indirectly using the Certes library with Kestrel as your webserver so I'm guessing you either have a custom certificate order process or you're using a kestrel middleware to fetch the certs (like LettuceEncrypt).
Certes can't handle building the PFX you need if the machine certificate trust store doesn't know the required root certificates. If you enable normal windows updates and remove any group policy restricting CA trusts store updates windows will normally be able to keep this up to date itself. Alternatively install ISRG Root X1 (self signed) into Trusted Root Certification Authorities.
The reason this was previously working is Let's Encrypt were issuing using the DST Root CA X3 chain (expired root), which Windows would have in it's trust store already so that was enough to build the PFX.
The reason you're hitting the rate limit for duplicate certs is the certificate download completes OK from Let's Encrypt, but the actual PFX build (the file you really use) fails.