Expand this comment as an answer.
A key piece of information is what DNS service that you use.
For very feature rich platforms like Cloudflare, you need to not only create the right DNS records, but also disable all their caching and/or advanced DNS features so that Azure can request and generate the managed certificate properly for your domain(s).
In your specific case, the culprit is the CAA records, with which you control which CA might issue the certificates for your domain(s). You probably configured them earlier when you requested free certificates from Let's Encrypt, but now Azure tries to request new certificates from DigiCert.
By removing the CAA records, you have made it working again. And if you do need those records, you can now configure them for DigiCert.