I'm sure you can do with using an Apache reverse proxy but it seems to me like an awkward approach.
My advice would be to forget http validation altogether and use DNS validation. You can host your own acme-dns service (or check out Certify DNS certifydns | Certify The Web Docs) to handle DNS validation challenge responses. This technique uses a CNAME (in your real public DNS) for each host name pointing to a dynamic record hosted on the DNS validation service. This dynamic record is updated during renewal, leaving your own DNS untouched. All popular ACME clients support this technique. You create the CNAME once per hostname and renewals can be handled automatically forever after.
Some ACME clients also support surrogate domains for validation (e.g. you can CNAME _acme-challenge.app-01.yourdomain.com to a _acme-challenge.app-01.auth.yourdomain.com). That way you can have the public DNS hosting for auth.yourdomain.com on something public with a well supported API (like Cloudflare, also free), and just use it for domain validation.
Once you have a method for renewing all of your certificates you need a deployment method to copy the certificate to each destination and apply them (or pull the certificate and apply it). This can be done with scripting in most cases. Other techniques include storing your renewed cert in a vault (Hashicorp vault, Azure KeyVault etc) then the individual servers pull the latest cert on a regular basis (again, with a script).