As of Certbot v1.13.0 (released March 2021), Certbot's --nginx plugin added support for authenticating your domain when using Cloudflare's Full (Strict) setting. From this version, Certbot will set up the nginx challenge for both port 80/HTTP and port 443/HTTPS.
Prior to Certbot v1.13.0, you would either have to use Cloudflare's Flexible setting, or use the --webroot plugin. because Certbot would only set the nginx challenge up on port 80/HTTP.
If you intend to use Cloudflare on Full (Strict), then I strongly suggest that you use a newer version of Certbot, either from the snap or pip.