This is not my experience in a similar situation. I have lots of WPEngine sites behind CF, using the WPEngine Let’s Encrypt service. The ACME server connects to
http://example.com/.well-known/acme-challenge/<something>, so provided that is available you should have no issues.
If you are redirecting to HTTPS you are also OK, as ACME will follow the redirect. Just be careful that for the very first certificate request you have SSL Mode set to Flexible, as you probably don’t have any certificate yet on the backend. Once you have the first cert in place you are OK to set SSL Mode to Full or Strict as you prefer, and renewals will happen without issue.
I have seen lots of articles saying you should not redirect the
/.well-known/acme-challenge/ directory. In my experience this is an unneeded complication. Provided you can read files in that directory, even after a redirect, ACME will issue the certificate.
The alternative is to use the DNS-01 method, which supports using the CF API (see Certbot documentation). Lots of articles you will see online (such as this on the CF Support pages) are out of date. Support for DNS-01 is now available in lots of clients, including Certbot.
Having a valid certificate on the origin is very handy, as you can be certain that going grey cloud will not immediately break due to a cert issue.