I am not a Nextcloud wizard, but I have been successful using acme.sh in different contexts, specifically using "DNS mode" to prove I have control of a domain name without inbound IP access.
Does any inbound IP traffic work? I'd start by making sure that the port forwarding is working correctly with plaintext traffic like HTTP/port 80 and then look at encryption.
You also might need to use alternate ports if your ISP doesn't want you running servers, which is probably the case if you're behind CGNAT.
This is not a thing. Everything exposed to the public internet will be scanned constantly forever.
You can reduce your attack surface by limiting the software/ports you expose, or by having another service/computer act as a proxy. This is what Cloudflare does as their main business.
You can get 99% of the benefit you seek by just signing up for the free version of Cloudflare and putting them in front of your webserver. You can configure the firewall on your webserver to only allow access to Cloudflare's servers and let Cloudflare deal with the bots.
Another approach would be to store data on AWS S3 or similar with a time-limited URL with a short expiration date, that you provide only to approved parties. You wouldn't even need to run a public server to do this, and access will automatically be denied after the time period you specify. (This might make more sense if you're distributing big files, versus displaying a screen or two full of information.)
You could also do a web search for "port knocking; or configure client-side TLS certificates, which can be difficult to manage but would allow you to restrict full access to your server. (still vulnerable to DDoS, though)