As you have noted, a business or enterprise plan is required to upload your own certificate
You can download a certificate from Cloudflare to use on your origin, but note that is only trusted by Cloudflare so will give a warning if you connect to your origin directly using your browser. As you already have a Sectigo certificate on your origin, just keep using that (or use Letsencrypt or other CA).
Yes, if you don’t use the proxy the traffic will go directly to your origin and won’t go through Cloudflare where the features are applied.
Maybe, depends on what it does. Note that once proxied, all traffic will be coming from Cloudflare so ensure your own WAF doesn’t end up blocking any Cloudflare IPs, but it will be OK if it blocks access to specific URLs, detects intrusion or exploit attempts and so on as an extra layer.
Consider restoring original visitor IPs on your origin so logs show the visitor IP instead of Cloudflare ones to help you see what it happening.
You should also limit access to your webserver to Cloudflare IP addresses only so people can’t get round the protections by connecting to your origin directly.
One is on the Cloudflare edge, this will be the one presented to visitors to your site when Cloudflare is proxying. For most users, this will be provided and renewed by Cloudflare automatically. You don’t need to do anything. (They call this “Universal SSL”). The option to use your own certificate here instead is what requires a business or enterprise account.
The second is on your origin, this is so Cloudflare can make an SSL connection to your origin to pass on, after filtering, the user’s requests. This is like any normal connection direct to your origin and requires an SSL certificate so this can be done over a secure connection. Your Sectigo certificate just sits on your origin as it did before, but will only be seen by the Cloudflare proxy.
You don’t need the Cloudflare generated origin CA certificate if you already have an SSL certificate for your origin (as you do with your Sectigo one).