Have they started to use per-domain certificates for this, or can anyone who finds the origin bypass the check by creating their own (different) Cloudflare domain and pointing it at your origin?

Edit: Looks still the same by default, but at least they're (somewhat obscurely) documenting the issue and providing the option to use a custom cert now...

https://developers.cloudflare.com/ssl/origin-configuration/a...