My understanding is if you have an A/AAAA record for your domain or you have the acme-challenge CNAME, the SSL should renew by itself. As either method can be used for verification.
In which case, just a CNAME (so not using A/AAAA or the acme-challenge) would not be sufficient. If that’s correct that would explain the failure.
As regards whether an A record or CNAME is better, I believe for an apex domain (like domain.com) you need to use an A record. But for subdomains (like api.domain.com) you can use either. I guess using an A record avoids one more DNS lookup. But since the IP per app seems fixed I’m not sure there is any other benefit.