Digging into STSFetchResult.FETCH_ERROR

You’re looking at two different things.

As @openletter notes, the Fetch error is most commonly an issue with the certificate on the mta-sts subdomain.

Unrelated to that, the error you’re seeing from esmtp.email on the TLSRPT TXT record points more to an error when doing the lookup via DNSSEC, which it appears you have configured on your domain. I don’t think MIAB configures this record for you (as it is not mandatory with MTA-STS) but you should be able to add the TXT record to your DNS manually, something like

_smtp._tls.your-domain  TXT "v=TLSRPTv1; rua=reporting-address"