Certbot-auto with API token issue

Hello.
I have an issue trying to obtain wildcard cert for my domain with generated API token for DNS zone (with edit rights).
I’ve used this article to setup certbot-auto, but with no luck. In console i’ve got after cleaning up challenges:
Unable to determine zone_id for xxx.yy using zone names: [u'xxx.yy', u'yy']. Please confirm that the domain name has been entered correctly and is already associated with the supplied Cloudflare account. The error from Cloudflare was: 0 Actor 'com.cloudflare.api.token.xxxxxxxxxxxxxxxxxxx' requires permission 'com.cloudflare.api.account.zone.list' to list zones
There is no issues if I use Global API, but this is not secure.
Could anyone help me to figure this out, please?

See https://certbot-dns-cloudflare.readthedocs.io/en/stable/

The API Token needs to read all zones on your account. You probably gave it only write permissions on the zone you are working on.

I can definitely see a use case for a special API token that has “acme only” permissions on a single hostname, but currently you have to give the token wider permissions.