Welcome to the HestiaCP forum.
That understanding is incorrect. I use Let’s Encrypt certificates on my origins with the Cloudflare proxy always enabled. Make sure that you dont have any settings in your Cloudflare config that could disrupt the HTTP-01 challenge, such as Always use HTTPS.
I like to use Config Rules to force requests to the /.well-known/acme-challenge path to use HTTP among a few other settings. You can see a somewhat complete selection here:
See if that helps. You should be able to use the native HestiaCP options to obtain Let’s Encrypt certificates once your Cloudflare is set up correctly.
Another option is to use Cloudflare Origin CA certificates, but they are incompatible with direct access, due to only being trusted by the Cloudflare edge. This limits them to use with only proxied HTTPS traffic.