IPv6 actually resolves this. Not with Let's Encrypt (because they won't issue a cert for an IP address) or ZeroSSL (because they currently don't support issuing certs for IPv6 addresses), but it is definitely possible.
You wouldn't even have to expose the private network to the outside world. It could still be firewalled off.
Say if your prefix is 2a09:1337:8888:aa::/56 and your private prefix is 2a09:1337:8888:aaff::/64, just make sure that the router redirects all traffic from outside to the /64 to a box that listens for connections so a certificate can be issued. Of course you'd also need to be able to reach the said box from boxes within the private network (for .well_known cert requests), but it's trivial. No BGP required. Simple HTTP challenge.
You wouldn't even have to expose the private network to the outside world. It could still be firewalled off.
Say if your prefix is 2a09:1337:8888:aa::/56 and your private prefix is 2a09:1337:8888:aaff::/64, just make sure that the router redirects all traffic from outside to the /64 to a box that listens for connections so a certificate can be issued. Of course you'd also need to be able to reach the said box from boxes within the private network (for .well_known cert requests), but it's trivial. No BGP required. Simple HTTP challenge.