Actually, no need to purchase it nowadays - at least from my point of view.
Except, there are some cases where we people have sub deep sub-domain levels like www.sub.domain.com or sub.sub.sub.domain.com. In this particular cases, I would suggest purchasing an SSL certificate by using Advanced Certificate Manager at Cloudflare. More information about ACM cane be read at the below link.
For above mentioned “deep sub-domains”, if interested or if you actually have this situation, you can find more information at the below two articles:
Nevertheless, depending on the access level and knowledge skills we have, we can setup Let's Encrypt SSL certificate (or using Certbot) at your origin host / server for our domain(s) for free and renew it when needed (usually every 3 months or so if I am correct about it as far as I remember).
It is recommended that your Website works over HTTPS (having an valid SSL certificate propperly installed at your origin host / server) before moving to Cloudflare (due to security measurements, also it’s 2021 at the end and almost 2022 so make our Websites even more secure both for ourself and our visitors ).
In case you do not have an SSL certificate, you can use Cloudflare Origin CA Certificate, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate at your origin host/server.
Furthermore, I use this approach and I would vote for this (in case if you do not have an SSL certificate, be it either purchased from some SSL provider or generated by Let’s Encrypt)
Note: Cloudflare Origin CA Certificate works only for Web (HTTP(S)) traffic (not for e-mail!). So in terms of, if you host/serve e-mail from the same server or not, either you would have to have an SSL certificate which covers both your naked domain and mail (including some other sub-domains like www, etc.)
Hostnames (DNS records) using the Cloudflare Origin CA Certificate should be (proxied), otherwise using it on (DNS-only, unproxied) DNS records would encounter getting an SSL warning/error in user’s Web browser.
Helpful article including step-by-step instructions can be found at the below link: