As a follow-up to this, and I’m not sure if this is madness or not 
but one way around that seems to work is to do the following:
-
Set up S3 uploads i.e. mybucket and then let Discourse use that.
-
In AWS create a CloudFront distribution for that S3 bucket. Set up an alternative CNAME called ‘uploads.myforum.com’.
-
In CloudFlare set up a CNAME and active cache for uploads.myforum.com and point it at the xyz.cloudfront.net AWS domain name for that distribution.
-
Tell Discourse to use the CDN URL https://uploads.myforum.com (and I guess rebake posts, although the old Cloudfront URL should resolve still fine?)
That way you get a wildcard HTTPS on your images and (I guess?) lower CloudFront and S3 GETs and bandwidth. A couple of CURL tests show Cloudflare is caching ok in-front of Cloudfront.
So, basically using CloudFront’s ability to have an alternative CNAME to get around the periods in S3 upload buckets in Discourse.
This all seems to work ok (I think?), but the the Discourse CDN setting doesn’t seem to do what I thought it would do, i.e:
If all the URLs in the uploads used the CDN value then we’d be good.