You should probably better understand the reason https was deprecated to get why things are as they are: March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support
We would all like that answer. I can only guess that NOT until it can be done 100% securely.
I believe TLS-ALPN will continue to be supported thereafter; But the requirements for TLS-ALPN are near to "impossible" to implement easily for the average user.
If you have security concerns about allowing http traffic to your "sensitive" systems, then don't use those systems to handle the http connections.
I would use two separate systems:
One for HTTP and one for HTTPS.
You could proxy (only challenges) to the HTTPS system.
Or handle them entirely on the HTTP system; then share the certs to the other internal systems that actual use them.