That might be a step forward. Still a bit complex, but maybe worth considering.

Would that work for mulitple domains? So I CNAME the _acme-challenge subdomain for all my domains to _acme-challenge.cheapthrowaway.com?

It's supposed to work as long as your DNS provider can return multiple TXT records. Some can't, due to a lousy UI in the admin panel.

Certbot might not do this out of the box but ACME lets you pass one challenge at a time, collect a new one, repeat. The tokens which show you passed a challenge will "keep" for at least hours and it might even be days (when Let's Encrypt was new it was weeks!) so you can collect them up to get your cert over a time period.

So, as long as the challenge taking is serialised you can get away with just giving a single TXT answer at a time.

You can even just set NS records for _acme-challenge subdomain to your own DNS server.

And then have your acme client auth against that one.

No need for a new domain.

True, though running your own DNS server or paying for another DNS provider may be similar in effort or expense...as compared to a throwaway cheap TLD domain that comes with DNS.

As it's a DNS server that only ever serves certificate validation requests, and doesn't need 100% uptime, a normal simple BIND or knot is good enough.

I'd expect it to be built in to certbot like serverauth.