Those dns settings should work, as far as I can tell
There are a couple of things that you might want to check:
I can see that you’re using Cloudflare for your DNS provider. Cloudflare settings can be a bit of a sticking point, so it’s worth a quick look to see if you need to rule anything out with that config.
The following posts have some good discussion on the topic (you may have already seen these, but just in case) 
- How to get certs DNS validation target?
- Nginx reverse proxy app has constant dnsConfigured false for certs.
Since you do have things set up for a dns-01 challenge, I’d guess that this would work even with Cloudflare proxy set.
You could also get a wildcard cert for your domain (for an extra $2/month). As you pointed out, it does look like you have a valid cert for the www subdomain; having a wildcard might be worth down the road it if you’re planning on needing many more.
Are you able to see what certs are listed for your app with fly certs list ? Does the validation target you have in your _acme-challenge match what you’d see in fly certs show typekitproxy.com?
Finally, how did you set things up with your www subdomain? I don’t see an _acme-challenge listed for it, so I’d guess that you used some other method for it.