For some reason, downloads only work with secure connections, which in turn require a valid cryptographic certificate, which in turn requires your server to have a FQDN.
PiHole is a full-blown DNS resolver.
As such, it implements “DNS rebinding protection” (which is generally a good thing).
Unfortunately, it also blocks the assignment of a custom subdomain of the plex.direct domain to your local server.
Which in turn prevents secure connections from working inside of your local network.
You need to tell the pi-hole that it shall not block DNS rebindings on the plex.direct domain.
https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections#toc-4
