I think I understand it pretty well. You are right, it can be redirected to HTTPS, but it depends on Cloudflare settings and webserver configuration whether that will work or not, since initially there will be no valid certificate on the origin server.
Yes, they can be redirected to a different port, but HTTP-01 challenges must always start on port 80.
See Challenge Types - Let's Encrypt
The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.