--standalone is meant for sites that are not running any kind of webserver. It will not work if you have a webserver running on the standard ports.
I believe the easiest method of verification for you is tls-sni-01. Certbot will create a fake hostname with a special certificate in your nginx config, connect to the server at the domain you want the certificate for, request the fake hostname via Server Name Indication, and approve the validation request if it gets back the right certificate. Certbot generates it’s own separate server blocks in your nginx config to do this, so it won’t interfere with your existing proxied hosts.
certbot run --nginx --preferred-challenges tls-sni-01 -d user1.domain.com -d user2.domain.com -d ...
If you don’t want certbot to automatically adjust your nginx configs, you will need to use webroot authentication with certbot certonly and add location blocks to all your proxied hosts so they return files in /.well-known/acme-challenge from a local directory instead. You can point them all to the same directory and pass that to certbot as the webroot for all domains if you want; there is no need for them to be separate.
certbot certonly --webroot -w /var/www/acme-webroot -d user1.domain.com -d user2.domain.com -d ...