Wordpress.com subdomains check the host header to serve your website (instead of serving someone else’s website). Cloudflare as a reverse proxy does not change or overwrite this host header, instead making a request to the A/CNAME record with the host header sent from the browser.
This is mainly to prevent abuse of cloudflare, as being able to reverse proxy arbitrary domains while faking the host header could lead to PAAS applications (like wordpress.com) getting mad that Cloudflare is ruining/breaking their business model by allowing users to fake where a request is originating from (wordpress.com free plans don’t get a custom domain). This would also likely make some hosts mad, as a shared server effectively serving a copy of someone else’s domain would raise some red flags and the blame would be on Cloudflare for allowing it.
So currently, the only way to do this via Cloudflare itself is to be on the enterprise plan:
This is likely due to Cloudflare fully trusting that their enterprise customers won’t abuse it to get “custom domain”-like functionality on PAAS services for free, and if they do they can confront their customer about the behavior.
So without the enterprise plan, the best way to go about this is to set up this reverse proxy on your origin IIS/nginx/etc server.