The 526 I am seeing is coming from Always Online, so is not the current error.
Can you disable Always Online mode so that you start seeing the actual error from the Origin?
The certificate on the Origin is for the
prod hostname, not for the
lb1 hostname. What is your current SSL Mode, and over the course of your testing have you changed the SSL Mode a few times?
My guess is that your Origin is actually not always responding, but you are getting a copy of an old error from earlier in your testing when that happens. Disabling Always Online should make diagnosing that easier.