In order to ensure that your system actually controls your name as seen by everywhere on the Internet, a CA has to check how that name works from everywhere on the Internet. Even if you're only expecting traffic from a small region, the certificate that a CA gives you is valid globally.
You've probably seen this already, but all the suggestions I know of are in there:
There aren't many organizations that restrict their authoritative DNS servers, so there might not be a lot of suggestions out there. You best bet may be to see if you can hook the blocking into the hooks for your ACME client so that it allows all traffic only during the time that domain validation is being performed. Or depending on exactly how you're blocking things, maybe you can allow for _acme-challenge TXT records from everywhere even if you're blocking other types of DNS queries.
You could also try using multiple CAs, as they each are probably checking from different places, so it may be that another CA works better for you than another, depending on where they're checking from and where you are blocking. However, the requirements for CAs to add more locations to check from will keep increasing over time.