If on crypto tab in your cloudflare dashboard you disable TLS 1.3 protocol, does the issue resolve for your customers ?
what browsers and browser versions are your customers with issues on ? Could be TLS 1.3 draft vs RFC version difference issue with what is supported by web browser and cloudflare differing.
Chrome 69 supports TLS 1.3 draft 28 while Chrome 70 release in ~5 days supports TLS 1.3 rfc final. Though Cloudflare’s TLS 1.3 should support TLS 1.3 draft 23, draft 28 and rfc final so shouldn’t matter. Though I have seen some reports of ERR_SSL_VERSION_INTERFERENCE for some of my users of my Centmin mod LEMP stack which uses Nginx/OpenSSL 1.1.1 with TLS 1.3 rfc final too with Chrome. They disabeld TLS 1.3 on web server and that fixed it. So probably same for Cloudflare TLS 1.3 disable in crypto section of your dashboard.
Also check if those visitors are using anti-virus/malware protection software i.e. Avast on their local computers as some have man in the middle (MITM) scanners which may not support the same TLS 1.3 draft/rfc final version that Cloudflare is advertising. So those visitors need to either update their anti-virus software or disable the scanners setting for scanning HTTPS in their software or disable Cloudflare TLS 1.3 for now
Example seems Kaspersky anti-virus is a current app which has issues with TLS 1.3 https://forum.kaspersky.com/index.php?/topic/402104-not-able-to-visit-a-lot-of-https-websites-err_ssl_version_interference-merged/
After some digging around on old posts I found out that turning off scanning encrypted connections from Settings- additional - network - do not scan… works.