What is the proper way to prevent an Ansible playbook from updating a config file after it has been updated
Do not use lineinfile. Manage complete files with one or more template tasks.
Should you decide to separate the roles for nginx config and getting certificates, they will need to coordinate somehow. Perhaps the nginx role just assumes Let's Encrypt default cert locations. Or, perhaps you can set variables like nginx_ssl_certificate: /etc/pki/tls/certs/{{ inventory_hostname }}/cert.crt
assuming that the domain name is the name in inventory.
If the nginx role runs first, and configures a certificate that does not exist, nginx will not start. Consider using a handler for nginx restart, which will be deferred until a later stage in the play. Or, reorder the roles so the cert exists first.
Idempotent tasks with lineinfile is possible, but it requires understanding lineinfile's various modes, and writing regexes. I don't recommend it, lineinfile confuses everyone.