One workaround can be picking up a cheap domain and CNAMEing _acme-challenge.unsupported-provider.com to _acme-challenge.supported-provider-cheap-domain.com. The rest of the records can be left alone.
This is listed on LetsEncrypt as a "delegate" subdomain [1] and on an EFF article as a "throwaway" domain [2]. Some clients just call it "CNAME support" [3].
All the different names muddle search results. I've used a Reddit guide [4] for Cloudflare + goacme/lego.