As far as I understand it, Plesk can only renew the certificates automatically if it has authority over DNS. This is because Plesk uses TXT records to validate the certificate, but since the DNS is at Cloudflare, the records created by plesk do not propagate.
A simple solution to this is using Cloudflare origin certificates instead, this way you can have a certificate at your origin with up to 15 years validity.
These types of certificates are only used between Cloudflare and the origin and the certificate shown externally will still be the edge certificate.
Another option would be to delegate _acme-challenge with NS records, but this can bring other issues when Cloudflare tries to renew edge certificates for your zone.