We have limited configurability with our hosting tools. The closest I can get to performing task 1 as you described is to set our A record to DNS Only in cloudflare, make sure the error clears on our primary domain in our server (which it does, and our free GoDaddy SSL comes back to life), and then re-enable proxy in Cloudflare. Whether I do this with Flexible, Full or Full (strict), the 520 error returns very quickly. In fact with Full or Full (strict), we also intermittently get 525 SSL Handshake errors.
Yes, our CNAME record is the www version of our domain. I’m not sure whether it’s there for SSL certificate issuance verification or not. It’s been there from the beginning so we’ve just left it. Whether we have it Proxied or DNS Only whilst our A Record is either Proxied or DNS only makes no difference to the 520 results described earlier unfortunately.