You can run the "Palo Alto" checks using the curl examples on this post. Of course, change the domain name to yours and make sure to run the test from outside your local network so request passes thru your firewall from outside. If your curl requests behave similarly then it's the firewall.
The instructions were in the post I provided earlier. I don't have one myself but it is described as being the "acme-protocol" rule in the Application rules. You'd have to ask on the Palo Alto forums if you can't find it from that. But, many people have.
You don't need to create any challenge file. You will get a 404 Not Found or a "reset by peer" indicating it was blocked by firewall.
There are good ways to debug the standalone but it seems like it is your firewall so check that first.