Yep, looks great with Cloudflare out of the way. It’s got something to do with their end (their middle?).
While they’re reverse proxying your origin server, they terminate TLS with their own certificate. Usually they bulk issue their certificates for this purpose (common “free tier” sites behind Cloudflare are often on the same ticket with 50+ other customers’ websites if you just check the alternate name list).
Dunno, maybe they just haven’t issued yours yet and are trying to hand out an empty cert - not that I’ve ever seen that behaviour before. Anyway, if you need the orange cloud in front, you’ll want to open a ticket with them. It’ll probably help if you can re-break it and demonstrate how to easily verify it’s broken.
Full (Strict) describes Cloudflare’s behaviour when connecting to your server (the origin server). It requires a scenario where the origin presents a publicly validated HTTPS certificate, ensures that communication only occurs if this is true.
Your Caddy satisfies that requirement. It gets its certificate from LetsEncrypt, validates them by writing a DNS record (incidentally via Cloudflare’s API, but you could easily use any compatible DNS provider).
Changing between Full (Strict) and Full shouldn’t have any affect on the issue (swapping to Flexible or Off should break your site with a different issue), but you should use (Strict) because you get additional security by requiring the certificate to be valid.
I also just remembered, none of the things we went over covered this part:
If you ever get this again in the logs, a few of us would be interested in investigating if we can reproduce it. It should never be able to happen (multiplexing listeners on a single port), so it would definitely be a bug.