This is a really tough situation to be in. I can only recommend that you use Let's Encrypt certificates (or certificates from any publicly trusted CA) with devices that get a regularly updated trust store. All publicly trusted CAs are subject to a variety of requirements, many of which are outside our control and yours. If those requirements change, we might need to change out our root certificates, or issue different kinds of certificates, or revoke all certificates of a given type.
My first recommendation is: Design and test a robust remote-update strategy. This is critical for your users' security.
If that's not possible, my second recommendation is: Generate your own root certificates, and configure your IoT devices to trust those roots. That way you are fully in control of your own fate, and cannot have your devices bricked by changes in the WebPKI. This may seem like an abstract worry, but the archives of Redirecting to Google Groups contain many stories of CAs that have had to revoke certificates or change issuance practices, and have broken large numbers of IoT devices.
Generating your own CA doesn't have to be hard. If your security requirements are low, you can do it in seconds with a tool like GitHub - jsha/minica: minica is a small, simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used.. If you have somewhat higher requirements, you can make your own CA on a Yubikey (https://developers.yubico.com/PIV/Guides/Certificate_authority.html). Or if you don't want to fuss with managing a CA yourself, you can use Google's hosted private CA service: Certificate Authority Service | Google Cloud. Just remember if you go the "do it yourself" route, to keep the devices that hold your keys physically safe, and make sure you have robust backups.