Makes sense. With the apache authenticator you would typically write an apache Location directive to specially handle the http-01 challenge files requested under /.well-known/acme-challenge/ such that those requests are not proxied. However, if the server running the ACME client (certbot) is not the one terminating SSL (serving the SSL certificate to the requester), this can pose challenges. I'm going to phone-a-friend here who is very experienced with complex setups to get his recommendations.
Penny for your thoughts here.