This proved to be blessedly simple. As per the documentation, any executable in /etc/letsencrypt/renewal-hooks/deploy will be run after a certificate was successfully renewed (may need to be owned by root). This worked first time:

#!/bin/bash
 
cp -L /etc/letsencrypt/live/<domain>/{fullchain,privkey}.pem /etc/exim4/
chown Debian-exim:Debian-exim /etc/exim4/{fullchain,privkey}.pem
systemctl restart exim4