I think you misunderstood how LE’s HTTP-01 challenge works.
It looks for the token certbot or other variant of LE client put, most of the time, into the .well-known subfolder of the webserver.
But it isn’t hardcoded to start the request on port 80, ignore any HTTP code redirects and fail outright if it can’t find the token.
The HTTP-01 challenge is able to follow HTTP redirects (so 301 and 302) and is therefore able to read the .well-known folder through 443 and HTTPS.
And the reason it works for Cloudflare Universal SSL WITH Redirect (and Cloudflare Tunnel) is that Cloudflare answers in place of the webserver on Port 80, redirects the request to 443, where LE can read the token and the CA can issue the cert.
High-Level diagram of the flow:
Certbot starts HTTP-01
→ POSTs cert request to CA and puts token into .well-known
→ CA starts GET for Token on FQDN port 80
→ CF redirects to port 443 and secures the request with its Universal SSL cert
→ Request is forwarded to the webserver itself (through CF Tunnel or direct)
→ CA is able to GET the token in .well-known because port 443 is able to present the token the same way HTTP and port 80 would
→ CA POSTs the RAW cert data and Certbot creates the files