The server needs to support sending TCP, but clients can choose to use UDP.
If the Unboundtest config matches Let's Encrypt's production config (which it usually does), it sets edns-buffer-size: 512 which I believe will try UDP and then switch to TCP if over 512 bytes. (Which basically anything using DNSSEC will, though probably other responses can as well.)
There's an API announcement from Let's Encrypt from 2018 explaining the change as increasing resistance to DNS spoofing attacks.
As I understand it, it's much harder for an attacker to spoof TCP responses than UDP responses.
Is there some problem that your DNS servers are having with needing to handle multiple TCP responses? Generally I would expect DNS servers would be able to handle the scale of requests that Let's Encrypt is using, if they're going to be on the Internet in general.