Excellent!
The SERVFAIL response code may have come from Let's Encrypt's Unbound recursive resolver. Recursive resolvers will return SERVFAIL if an authoritative resolver is unresponsive, OR if an authoritative resolver returns SERVFAIL (or a few other reasons). In theory Unbound has a number of retries and I thought it would have hit your working resolver on a retry, but doesn't seem to have happened in this case.
Glad you've got things working!