Your understanding is mostly correct.
"This limit counts your root domain." That is really the registered domain, which is either something you purchased from a registrar or something that you obtained from a domain on the Public Suffix List.
Wildcards can be used to get around ratelimits if your organization does not need to isolate the subdomains from each other, but ratelimits do apply to wildcards.
If there is a scalable system for on-demand processing, which sounds like what you described, the correct solution will almost always be to share a single wildcard certificate across all the domains. there are almost no situations where an ACME client should be running on an ingress. that is a common anti-pattern that often causes a dev/ops disaster when the rate-limits are reached and the deployment system needs to be rewritten.