Does your firewall allow rules to block all except the /.well-known/acme-challenge path?
Or, consider the DNS Challenge. That uses a TXT record in your DNS rather than port 80 for HTTP Challenge (or port 443 for TLS-ALPN challenge).
EDIT: Or, use a Certbot pre-hook and post-hook to open/close port 80 at your firewall. Then it is only exposed during the cert request
This wiki has more helpful info: Multi-Perspective Validation & Geoblocking FAQ