Obviously the power that be need to decide what is best for us, but as an email only server admin the choices for authentication are somewhat limited.
I understand TLS-SNI is out of the picture, using apache only for this purpose is not groovy at all, which leaves DNS.
It was mentioned that APIs exist for this purpose, but not all ISPs support it, and quite frankly I do not think that automatically updating DNS records for the sake of publishing a challenge token is a good idea.
Your idea to use a challenge token sounds good enough to me.
The signing server sends token to certbot client, certbot signs it with private key, the server checks response with public DKIM key.
This way the identity is checked before signing the CSR, which makes more sense.
As an afterthought: one could use the same principle with web servers as well. Instead of the challenge you have at the moment the host would publish a public key at a certain location before it initiates signing (and remove it when not needed). That sounds simpler to me.