Load balancing health check - TLS mismatch error

I am setting up health checks in anticipation of load balancing for an application. This application is hosted on site, and our intent is to use Cloudflare to handle failover between our two ISPs so we can use a single DNS record.

When building a monitor and a pool, I keep getting alarms that the pool has TLS name mismatch errors. However, our certificate appears valid on all browsers, so it must be a configuration issue.

Here is what I have set up:

  1. somedomain . company . com accessible via 443, using * . company . com wildcard with somedomain . company.com in the SAN and DNS name fields of the certificate. Validated as working on all major browsers.
  2. load balancing monitor set up using HTTPS and pointed to the landing page of the app. Currently we have a host header set to the FQDN of the app (somedomain . company . com), I have tried several variations of headers in the monitor without success.
  3. Load balancing pool set up with only a single origin (for now), with said origin using the main public IP of the application. I have tried setting this up with and without a host header pointing to somedomain . company . com, as well as just company . com and several other variations in case the issue is with our wildcard certificate. I have also tried using the FQDN directly, but when doing that I cannot make a second origin in the pool with that hostname.

I am certain there is a combination that will work, because at one point I got the pool up, but I didn’t get the alert until several hours later so I don’t know when.

I feel like I am missing something obvious, but in all my searching all I can find it ‘something wrong with the certificate’. That doesn’t seem to match this as my cert appears fine outside of the load balancer configuration.