> Is this implying that all TLS is terminated at the Iran border and proxied from there?

Yeah, the law-abiding type on the Iranian National Information Network(NIN), either using the Electronic Commerce Council's I.R.Iran CA for HTTPS or just HTTP.

> Maybe certificate authorities aren't allowed to issue private certs to Iranian organizations? Even LetsEncrypt?

Due to NIN registrations being not very much not anonymous, https://xkcd.com/538/ seems pretty appropriate if you want to use an unapproved certificate authority.