heroku ACM use hinges on the use of Heroku DNS (it's the way they wrote the client)
You can use the heroku CLI to install 3rd party certificates.
So the process should be something like
A) A laptop with certbot and a CloudFlare API key
B) Heroku CLI
C) Certbot renews the certs and runs a heroku CLI command to install the let's encrypt cert
Not ideal but thats the way things are
You can also look at a nodejs application to do this as well
Andrei