Not crucial at all, I switched to the global API in the ini
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = cloudflare@example.com
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234
That worked so I switched it back to the restricted version to continue testing
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
Using the global version worked to renew them just fine, so it doesn't appear to be an issue with it using the wrong ini file.
I only noticed all of this because the previous certs had expired. So there's no hurry on this at all. If I should have opened a ticket on github or similar let me know.