Okay, good news. After generating the certificates I had attempted to reload them into nginx using sudo service nginx reload - which normally (AFAIK) will pick up on new certificates without needing to fully restart the nginx server. It appears, however, that it was not picking up the new certificate in this case so I needed to do a full sudo service nginx restart - as a consequence foundryvtt.com is now serving the correct shortened certificate and our Electron client is successfully connecting to the website!
For others who encounter this thread, it looks like the full solution is as follows:
- Generate a new certificate using the
--preferred-chaincustom certbot option, for example:
sudo certbot certonly --nginx -d <domain> --preferred-chain "ISRG Root X1"
- Full restart (not reload) of nginx
sudo service nginx restart