For anyone else following along, Port 80 was showing a consistent TCP connection refusal - meaning a TCP RST packet is sent back to Cloudflare from the origin, causing the HTTP 521 error.
To fix this choosing Full Strict SSL (if you have a valid origin cert and intend to keep it up to date) is the best approach if Port 443 is accessible. If you must use Flexible SSL, then Port 80 has to be accessible to at least the Cloudflare IP ranges.