I split your post into a separate discussion.
Certbot doesn't support TLS-ALPN at all.
You might look at this thread: Which client support tls-alpn challenge?
Unfortunately, TLS-ALPN is operationally a lot more complicated than TLS-SNI was. Native webserver support is very sparse.
For example, if you want to use e.g. acme.sh's TLS-ALPN support, the suggested workflow is to stop nginx (in a pre-hook), run acme.sh (it will bind to port 443 and perform renewal), and then start nginx again (in a post-hook).
If you have nginx compiled with the SSL pre-read module, you can do it without stopping your server, but it causes some convoluted configuration.
lego also supports TLS-ALPN in a similar way (standalone mode).
Finally, you can also totally replace or front nginx with Caddy, which makes using TLS-ALPN very easy, but it's a pretty big change to your infrastructure.
The tl;dr; is, if you can keep 80 open or use the DNS challenge, it simplifies things a lot. Using TLS-ALPN is not very convenient at the moment, but not impossible.
Edit:
HSTS is a browser thing, not an HTTP protocol thing. It doesn't affect the ACME protocol, so you can keep using 80 in its presence.