Validating a certificate of origin
Cloudflare sits on the network between end-user web browsers and website origin servers. Cloudflare fulfills the request from cache when possible, but when not possible, goes back to the origin web server in a second connection. The link between end-user web browsers and Cloudflare benefits from strong security technology -- strong ciphers, SSL with automatically provisioned certificates, and the public CA infrastructure which maps certificates to domain names.
Browsers validate the server certificate to ensure they're communicating with the correct web server.
To have Fastly verify the certificate using a different hostname, specify it via the SNI Hostname field under Advanced options.
Operating a public certificate authority is difficult because you don't directly control either endpoint of the HTTPS connection (browser or web server).