Hmm. Certainly appears to be TLS related, given removing https fixes it, and the 525 code directly relates to that too. Unlike e.g a 500 or 504 etc.
My first thought, given those numbers, would be it could be related to this:
Since I know Workers re-use a single instance, unlike e.g Lambda where is only one instance handling each request. And so it would follow the requests are coming from the same IP. Not quite sure how to avoid that other than handle TLS in-app to avoid any Fly-proxy restriction.