Correct.
TLS-ALPN challenge is solved during TLS negotiation with Caddy.
If you have Cloudflare MITMing your HTTPS (i.e. orange-cloud), LetsEncrypt can’t negotiate TLS with Caddy, it must negotiate with Cloudflare which then talks to your server on the client’s behalf.
You might try running Caddy with the -disable-tls-alpn-challenge flag, forcing Caddy (specifically, Caddy’s ACME library, acme-go/lego) to use the HTTP challenge instead. This should work despite the Cloudflare MITM.