Hello and thanks for good questions 
We call certbot using certonly + non-interactive. Certbot gets "--webroot" (for example /var/acme/verifications) where it generates the "token" and then we have Flask which replies the content when it is requested by CA. For the DNS verification it gets bit more complicated but using that "auth-hook" we will solve it.
Overall our system consist of 2 app servers running python, then 2 web frontends and 2 DB servers, quite standard setup. We focus on automation of the infra so LBs, DNS, FW etc that is why we use python. And for ACME we built 2 small additional servers running python with flask (API endpoints) and the python calls certbot. We chose certbot because it was failry easy for us to use it by just calling it and let it do the job. I admit using python library would be better for its integration to our system.
ACME servers are in active/standy mode (behind LB).
Our scope is something between few hundreds to 1k certificates which needs to be maintained and few certs daily being added (my guess). That is the final state, we are now at the beginning having few tens of certificates. We sign certs by LetsEncrypt but also by other CAs supporting ACMEv2, so far with HTTP challenge, soon with DNS when we connect "top layer python" with DNS servers.
Not sure about question about "registered rights", but the domains belong mostly to our customers, we are supposed to keep certificates up to date and install them to infrastructure (servers, LBs, WAFs).
certbot datastore - we use "--config-dir" for each CA/eab-kid and that works well. When we failover to second server it works as well even though the config directory is not synchronized, certbot fills it with data it needs. Not sure if that has any handicap but we did not notice any issue
We'd need to migrate "ACME server" to container and we already detected some issues with certbot so yep that can be reason to use something else.
Btw I think (I might be wrong) last year there was one ACME client which had a vulnerability/backdoor, cant remember the case. But that was also one of the reasons we chose certbot - because it is created and maintained by the ACME founders, so I thought what could be actually better?
PS: using certbot might be helpful when solving issues with CA. For example we have troubleshooted one issue with Digicert and certbot logs was something their engineering team understood. This can be important.
Thanks for your interest and I hope I replied to all your questions.
Zdenek