Hello @AndrewSmith,
Another thing to possible do is use https://smallstep.com/ 's Build a Tiny Certificate Authority For Your Homelab
This is intended for certificate to be used on an internal network, not the Internet at large.
Yes you are correct. However from Rate Limits - Let's Encrypt
For instance, in the name www.example.com , the registered domain is example.com . In new.blog.example.co.uk , the registered domain is example.co.uk . We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued , possibly with additional details.
So using the Public Suffix List maybe able to assist, but I defer to the Let's Encrypt Staff as offering the best solution for you and your students.