So is the problem that Bind doesn't let you have a credential for updating just the _acme-challenge records and requires a credential for updating anything in a zone? If so, and if your security policy (reasonably) doesn't want credentials that can update anything on all your servers, then I think the usual approach would be to create just one separate zone that the credentials can modify, and have all the _acme-challenge records that you need be a CNAME into a corresponding record within that zone. I don't think certbot handles that kind of scenario, but some other clients do. (I happen to know acme.sh does, for instance, but I don't think it's the only one.)
However, I could have sworn I've seen people here that used bind and had set up credentials that only gave access to the needed TXT records, without needing to set up other zones and delegations and such. Maybe I'm mixing it up with something else, though. Hopefully, someone else here has some experience with Bind/RFC2136 setups for you.
You might also want to take a look at software like acme-dns or agnos, which you could delegate your DNS records to and are designed for integrating DNS updates, if you can't figure out how to do it through Bind.