Hi @stasas,
Using --standalone indicates that Certbot will be binding a small webserver to port 80 to respond to HTTP-01 challenges.
The HTML output you're seeing in the urn:acme:error:unauthorized error from Let's Encrypt seems to indicate there's another webserver actually answering the HTTP-01 challenge verification requests, and serving page content instead of a challenge response.
My requests to office.spartagency.com are showing a Server: nginx header in the response. Did you previously have something in your Nginx config that would direct requests to /.well-known/acme-challenge/ to the Certbot standalone server? In general are you sure that nothing has changed in the way that HTTP requests to the failing domains are routed?