If you're in dire need of a working production cert, you can add/remove a domain name from your requested cert so the SANs aren't identical. You should get your house in order in the staging environment first (--test-cert and --break-my-certs). Since you're using certonly, I'm not too worried about your saving staging certs unless you start using deployment hooks and/or scripts to start deploying these "fake" certs. The important part is to get your "certificate lineages" in certbot's data in order then start leveraging them with --cert-name.
Note: I'm just now realizing how limited this all may be with --csr. 
Update:
Here's your winner to avoid using --csr:
--reuse-key
It will let you pin your keys without needing to use a static csr.