They now support wildcards, but in order to verify you are authorised to get a wildcard certificate you need to be able to pass the DNS challenge. Unfortunately there simply isn't another universal, trust-less (and automatable) way of verifying that someone owns a domain -- other than DNS.
However, because the DNS check doesn't require writing to the webroot, you could run this on any server you like and then distribute the certificate to your edge nodes (meaning your edge nodes don't need to have access to write to your DNS). Some clients even have scripting hooks which could make this significantly easier.
(I assumed the "store my cloudflare API keys on my web host" aspect was your main concern with this method -- not necessarily who wrote the client because there are plenty of other clients.)
From the Caddy release announcement that supports wildcards[1]:
"This release introduces support for wildcard certificates, a new offering from Let's Encrypt. Getting a wildcard certificate requires enabling the DNS challenge. Fortunately, that is extremely simple with Caddy, and it works with over 20 different providers!"
In this case the third-party software implements a public protocol, comes with a full source written in a very readable language and is sufficiently small to permit a casual review.
However, because the DNS check doesn't require writing to the webroot, you could run this on any server you like and then distribute the certificate to your edge nodes (meaning your edge nodes don't need to have access to write to your DNS). Some clients even have scripting hooks which could make this significantly easier.
(I assumed the "store my cloudflare API keys on my web host" aspect was your main concern with this method -- not necessarily who wrote the client because there are plenty of other clients.)