Not possible using the CF proxy settings, no. But as per the solution I linked to in my original post, I think using a CF page rule to turn off SSL for the URL being challenged (via the CNAME to the GitHub IP) but having all other URLs under SSL, effectively does that.
But again, I intend to wait until the next origin renewal before declaring it a success.