For authentication to work behind Cloudflare, you’ll need to use the webroot plugin, because the Apache authenticator needs “direct” access to port 443 on your server.
You can read more about the webroot plugin here.
I recommend to keep using the apache plugin for installing the certificates (using -i apache), but using the webroot plugin for authentication with -a webroot (and the other options required like -w).