That will break Let’s Encrypt certificate issuance. They use multi-perspective validation and it will originate in countries outside of your restrictions. They are not the only automated CA using multi-perspective validation.
One Cloudflare setting that has interfered with HTTP-01 challenges for me is the Always Use TLS setting. I turn this off in Cloudflare and either create my own Cloudflare rule that exempts the /.well-known/acme-challenge path from redirection (and other settings, such as bot challenges, etc) or handle HTTPS redirection at the origin. Note that such redirection at the origin will break any site that uses Flexible, which is another reason to avoid that horrible and deceptive setting.
When you encounter that 522 response on your www hostnames, do you see the requests reach your server?