I double checked all the permissions, and my custom Trellis tasks were literally copied from the ones you shared. For some reason, using a variable in an SSL file path just wasn’t working with CloudFlare. And variables are allowed.
I ended up making a server block for each site, which seems to be the recommended way anyway, and it worked (and I should mention it’s working with the exact same SSL certs & keys that failed when I was using a variable in the file path).
Very strange, but I got it working and accomplished what I set out to do. Thanks for the prompt responses!