The issues here are multiple.
If you want to connect via HTTPS through Cloudflare you need to keep SSL, Universal SSL enabled at a minimum. Then you should use Always Use HTTPS to redirect everything to HTTPS. HSTS is optional, realize the potential consequences before enabling it, especially preload. HTTPS rewrites can be useful and work only while connecting via HTTPS, so enable it.
Authenticated Origin Pulls isn’t doing what you imagine, it’s not HTTPS requests to the origin. Read the help underneath it.
The way Cloudflare connects to the server depends on the user’s connection type (HTTP will always go through as HTTP) and the SSL setting (Flexible always to HTTP, although not recommended, Full always HTTPS without verifying the certificate, Full (Strict) HTTPS with valid cert).
To enable Let’s Encrypt use Certbot with the webroot method, it doesn’t require disabling Cloudflare.