And just as I posted this I realized the problem: I also recently swapped out the self-signed default certificate and to one that has a valid SAN for all the domains I was trying to get LE certificates for, except for that one domain that initially worked. I assume that one really is rate-limited by LE due to all the tests I did to get here.
I just as I fixed this mistake by generating a new default cert with an unrelated commonName I remembered that I had this issue before. This is really unfortunate. Traefik should log which certificate it selects for which router, maybe even show it in the dashboard.