Right (I think - someone would still need to know your ELB IP), but once they get to your server, they’ll just get a 403… no access to your actual website.
Isn’t this similar to domain fronting that was announced that Amazon would block: Amazon blocks domain fronting, threatens to shut down Signal’s account | Ars Technica (I am aware it’s through CloudFront, and the equivalent will only be ALB and not NLB - OTOH once through Cloudflare you’re limited to HTTP(s) anyway)
I don’t think there’s a proper solution for that - after all a single IP may host multiple sites and multiple Cloudflare users can host on a single target IP, and in fact most websites today are hosted that way. To achieve what you want, it sounds like Cloudflare would have to have connections to your domain origin from specific IPs (in many regions in the world) which are a subset of their whole network and block other Cloudflare users from originating through them - and dedicated IPs cost money. If such a thing exists, I do not recall seeing it, and would bet it would be an Enterprise feature, where price is set based on a more tailor-made suite of services.
One Cloudflare service I can think of that may be proper for this, is to use Cloudflare Tunnel (under “Traffic” tab). That costs money:
https://support.cloudflare.com/hc/en-us/articles/115000224192
But that way requests will come from within your servers so no need to expose ELB to the outside…