That is not a DNS response. It comes from the webserver running on the IP that your hostname (or subdomain) resolves to. If your hostname is Proxied, the 404 response is being retrieved from your origin server and presented by the proxy, but it still orignates on your webserver.
It may be useful to set that subdomain to DNS Only while you determine the problem on your origin webserver.
That is your server. You need to secure it with a certificate. There are many options, including a commercial certificate, an automated free certificate, such as those offered by Let’s Encrypt, or, one of the most reliable options is to use a Cloudflare Origin CA certificate. Once you have it installed, itb will secure the traffic between your server and Cloudflare. It is only recognized by Cloudflare, so you will need to switch back to Proxied once you have it installed.