Quick tech note: you probably missed the +nosplit option in the dig manpage. Avoids the need for fragile hacks to try to restitch the output.
Anyway, I am not sure what searching crt.sh achieves. The check you need is against a current complete list of the intermediates used by Let's Encrypt, and I don't see how the crt.sh lookup of just the TLSA RRs you're using does that.
The right thing to do is to put a "gate" between your actual live certificates, and what the ACME client gives you, and check that the obtained certificate chain matches your TLSA records, before installing them into the actual location where your mailserver loads its certificates.
If the match fails, you have 30 days to discover why ACME gave you a non-matching chain and to fix the problem.
You could also mark on your calendar a task to check the LE certificate page once or twice a year, and do any necessary housekeeping, since you might be publishing TLSA records matching retired CAs, the the "gate" above won't catch that.
Once you do have a list of the "active" intermediate CA certs, you can easily compute their key digests without queries to crt.sh.