The "Failed Authorizations" ratelimit is applied to the combination of a Hostname AND Account per hour. Including the Account in the limit protects the legitimate usage, as the illegitimate actor's actions will only affect their rate-limit, not yours.
You can also use CAA records to lock your domain to only allow specific CAs (like LetsEncrypt) and accounts (like yours) to process requests for a domain. See Enabling ACME CAA Account and Method Binding for some information and links to the RFCs