The real question is why does traefik/lego throw this error when the permissions granted to it allows it to list hosted zones by name? Amazon Route 53 :: Let’s Encrypt client and ACME library written in Go.
Assuming one is just using a single provider, with multiple hosted zones, each one's zone id should be able to be fetched. As the same doc says:
If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.