Or better yet: use Cloudflare Tunnel to connect your origin to Cloudflare without exposing any inbound ports. I think you can also have Cloudflare present a client certificate that you can verify before responding.
Authenticated origin pulls are mutually exclusive with their tunnel. If you configure your firewall so that only the cloudflared tunnel process can access your origin server, then you can already be assured the request is coming from Cloudflare.