Oh, right. I forgot, the email when used as an argument to tls is technically an “issuer-specific subdirective” for implementation reasons. So the fix is to write it like this:
tls {
issuer zerossl APIKEY {
email myemail@address.tld
dns cloudflare APIKEY
}
}