You’re absolutely right about the wildcard operator not being proxied by CloudFlare and the LE cert fundamentally offering the same product. The difference I see here is the ease of adding SSL-protected subdomains via CloudFlare and not mucking around with .
The MVP nature of your project says to me that you could be (at this point) manually adding client/customer subdomains to CloufFlare (just as you would using the Cloudways panel to add subdomains to the LE cert). The reason I’d go with CloudFlare for this one is the availability of a robust API on CloudFlare.
Once you’re up and running and it’s impractical to manually add subdomains to CloudFlare, you can begin leveraging the API to add subdomains on-demand. I’d leverage the New Blog action in WP Multisite to execute a function that adds the appropriate CNAME record to CloudFlare The CURL example from the documentation is below, but you could easily convert this example to PHP (Google “curl to PHP”) so that you can execute it in the New Blog action function.
curl -X PUT "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/dns_records/372e67954025e0ba6aaa6d586b9e0b59" \
-H "X-Auth-Email: firstname.lastname@example.org" \
-H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
-H "Content-Type: application/json" \