#3 - it really depends on the device; Usually it's a swap of the certificate and a graceful reload, but this depends solely on the device. If they're HTTP(s), you can also use HAProxy to do the encryption for you (see [1] below) so you have
Clients –https--> HAProxy (PFSense) --http--> internal server
This way, you only need to refresh the certificates on haproxy (note that internal communication is then unencrypted, so ensure your network is appropriately protected from sniffers)
#4 No -- depends on the way you're doing letsencrypt certs. If you're using the http certbot, then yes you would need them since it requires a specific string at that server, but using Route53 should work without creating a public subdomain.
#5 Yes a single certificate can have multiple SANs, but this does leak information. If "https://www.example.com" certificate has SANs for "https://something-secret.example.com" you can read this out of the certificate; I tend to create one cert per subdomain. Also don't forget that as of recently, Chrome is enforcing the RFC such that the CN= must also be in the SAN (so create a certificate for CN=www.example.com with a SAN of www.example.com)
[1] http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate