It's preferable to at least allow all http requests to /.well-known/acme-challenge but that depends on the capabilities of your firewall.
You can also (in practice) block specific countries, assuming you have certain ones in mind, and still pass validation.
If you're firmly against http being open you would need to switch to DNS domain validation.