We've seen this sort of thing a small handful of times around here, where the "finalize" call doesn't get a response even though the other ACME API calls work and in some of them, Let's Encrypt seems to actually be issuing the certificate fine.
There hasn't been a single easy-to-find explanation across all of them. Generally, because the finalize call includes the CSR, it has larger-size packets than the other requests which can help explain why a network misconfiguration might affect that request but not others.
Some things to try include
- Double-checking MTU/MSS settings, and that ICMP messages for path MTU discovery aren't being dropped. A first step might be trying Cloudflare's ICMP IPv4 Blackhole Check and corresponding IPv6 check from your server, but this can get pretty esoteric pretty quick and getting beyond my expertise, and it depends a lot on how your network is set up.
- Getting an actual packet dump (from Wireshark and/or similar tools) to see if that sheds any light.
- Using an ECDSA key for the certificate CSR instead of an RSA one, just because it might be smaller enough to work even though there's something affecting larger requests. (That's, of course, assuming that your server and expected clients support ECDSA, which is usually the case but not always.)
- Trying a different CA, at least to see if you get different behavior or more helpful packet captures. (And depending on your requirements, it might be a good enough workaround if another CA happens to work.)
Some past threads with possibly-similar issues, just to reference: