Maybe we're using the same terms for different things, but both chain.pem & fullchain.pem do include the root ISRG X1 certificate as the final certificate in each file. The problem for my use case was that certificate was not the self-signed version, but rather a version that was issued by DST CA X3 which caused vCenter to bail out because that is an expired certificate.
From what I'm reading here, certbot (which is the client I'm using) is already defaulting to the "new" chain which still provides the cross-signed ISRG X1 root certificate.