I would like to take this opportunity to mention that it is important to exclude the .well-known directory from an HTTPS redirect and keep it accessible via port 80 so that Let's Encrypt can continue to check the challenge in it even if HTTP to HTTPS forwarding is activated.

As an update:

I copied my BIMI image and my .well-known folder from C:\Program Files (x86)\SmarterTools\SmarterMail\MRS to C:\Program Files (x86)\SmarterTools\SmarterMail\Service\wwwroot and everything works, my domain passed the MTA-STS checker, my BIMI image works again and all seems well at the moment. My policy file is available both http and https, so .well-known is apparently excepted from the redirect.

BUT: I am not using automatic certificates in SmarterMail as I have Certify the Web setup for my automatic renewals. If I were to enable SmarterMail Automatic Certificates, I'm not sure the internally generated .well-known would include files from wwwroot/.well-known

I do know that creating a virtual directory in IIS does NOT work, and IIS sees MRS as the site root folder.