Howdy @gmichaelr!
You might not need it to be actually on-demand - if you know what the domain name is going to be, you could just have Caddy actively maintain the certificate and save yourself a little bit of complexity. But if you do need to only requisition the certificate on-demand, I can point you to the docs for On-Demand TLS to get you started. You’ll need to set tls { on_demand } in your site block and configure an ask endpoint in your global options in order to mitigate bad actors abusing your setup, the doc will explain those further.
As for doing this with the Cloudflare DNS module, I can point you at a helpful wiki post:
And the Cloudflare DNS module itself, with specific usage instructions, is over at: GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare
If you’ve got any specific questions, feel free to ask here.