I’m using a stub resolver to connect to 1.1.1.1 over TLS. Checking the DNS debug page seems to get contradictory results: it says that I’m not connected to 1.1.1.1, but the reported AS is Cloudflare. Based on my configuration, the error is that I am connected to 1.1.1.1 (and the report that I’m not is wrong), rather than the AS being wrong.

Disable DNSSEC. The test displays false negatives when your client is validating DNSSEC.

That’d explain it. Is there an explanation for the explanation?

Explained here: *.is-cf.cloudflareresolve.com is not a valid DNSSEC zone