We don’t have a good way to let you install origin certificates. You can do your own TLS termination in your app/nginx. You just have to remove the tls and http handlers from [services] in fly.toml.
You can’t do TLS between CloudFlare and Fly.io using just your app IPs, we don’t serve certificates for those. You might be able to create a CNAME record that points to <appname>.fly.dev and have it use TLS, however. I’m not actually sure how their full stack works.