I read your step 3 as stating you installed Let’s Encrypt on a subdomain that was a subdomain of your free Cloudflare site but that you did not try to install Let’s Encrypt on your free Cloudflare site itself: on the main domain. I may have mis-read.
I read your step 4 as all applying, also, to subdomains of a main free Cloudflare enabled domain.
That being said, my set-up seems different in that I have one free Cloudflare enabled site, which is the main domain. I have two subdomains to the main domain, not Cloudflare enabled according to the control panel, but these two subdomains are sandboxes for test only, not used in any sensible way (not used at all, in fact). So only my main domain (abeille-cyclotourisme.fr) matters to me. It is free Cloudflare enabled and does not have unique IP.
I have just tried to enable Let’s encrypt on the main domain, free Cloudflare enabled. The control panel wants me to select a for pay Cloudflare plan (9.95$/mo), failing which, event when I click the “Sign certificate” tick box, nothing happens when I click the “Add now” button.
If I got this right, the difference between our two settings is that in your case the main domain, free Cloudflare enabled, is not containing your websites. All your websites seem to reside in sub-domains.
To apply to my situation, to make my settings work as yours, should I need to transfer my website from the main domain to a sub-domain, to which I would then add a Let’s Encrypt certificate without adding Cloudflare ? TIA