I was getting errors from Certbot
invalid response from .well-known/acme-challenge
It took a lot of messing around but the problem lay with a Cloudflare setting.
SSL/TLS -> Edge Certificates -> Always Use HTTPS
Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.
Certbot requests the verification over HTTP, as Cloudflare was rewriting it to HTTPs, it wouldn't come through to where it had set up the temporary server in the Nginx plugin to serve the acme-challenge.
Turning this setting off, and leaving it off, should allow Certbot to automatically renew these domains in the future.