Yeah, I found a bunch of these (and similar) but they all assume locally-administered servers - there’s a real lack of information to help people understand the implications of LE certs when using Cloudflare when using a ‘locked down’ cloud hosting service.
I appreciate it’s complex, and varies a lot according to the hosting provider, but there are some major hosting services and config-platforms (like Heroku and cPanel) that it’s hard to get specifics about. And trial-and-error is painful when it comes to DNS config for non-DNS-experts.
I think (per mnordhoff) the way to go (with much regret) is to abandon Lets Encrypt and go with CF Origin Certs.