www redirect to non-www is the default when the canonical and redirect params are set the way you have them setup in your config, there shouldn’t be any additional configs necessary. If you have your DNS setup properly (which it appears you do) then you need not alter anything else.
I suspect you may have provisioned your server before you setup your A Record for the www hostname.
Can you please remove your additional configs and run the LetsEncrypt task from the provision playbook again and output results here?