You can verify ownership of a domain via DNS [1], so you don't need the IPs in the A/AAAA records to be publicly accessible. Or be public IPs. Indeed you don't even need those A/AAAA records to be available from your DNS server from the internet.
Right; technically the ACME protocol itself could be implemented on a private network, but honestly it has a whole mess of complexity because it's designed around the assumption that the requester and the issuer are arms-length counterparts.
