Your traffic IS SECURE, it is encrypted using TLS, CF isn’t only verifying that the certificate is a valid one (it’s the same as adding the
--insecure flag to
curl), so it can be a self-signed or expired.
If the certificate on Azure covers the domain you are using (if your domain is example.com, it has example.com in the alternate, or primary, name) then you can switch to Full (Strict) which validates the certificate.
The decision if you need to buy a specific certificate (you can use Let’s Encrypt theoretically, don’t know enough about Azure to verify compatibility) is about where you are worried about eavesdroppers or hackers: if it is in transit (User <-> CF <-> Origin) then you are already set, if it is on the actual server and you want to be sure no one else puts something instead of your server (which is pretty difficult if you use A/AAAA records with static IPs or a domain controlled by Azure itself) then you would improve a bit with the cert, but not much in my opinion.
TL;DR: you are already with site and traffic secured (assuming the Azure account has strong password and possibly 2FA)