I think it should work, I don’t see anything unusual.
The only thing that comes to mind is the possibility that you are running into this bug, which can be summed up as: when there are a lot of nginx virtualhosts, nginx doesn’t reload quickly enough when Certbot is responding to the challenges. I didn’t think that only 21 virtual hosts could trigger this, but who knows.
To confirm whether the above is the issue, you could try renew with --dry-run --debug-challenges, which will cause Certbot to pause right after it modifies your nginx configuration with the challenge response. You can then open up the config to see how the config has been changed and whether you can access that challenge resource in the browser.
If you don’t really care to investigate, you could just adopt the -a webroot method permanently. At least, it avoids excessive reloading of your nginx server, and if you have that letsencrypt.conf snippet included everywhere, it should work for all your domains.