In Cloudflare, under SSL/TLS → Overview, try setting your encryption mode to Full.
If your landing page starts working, but you own other subdomains that support Full Strict, you will instead want to set up a Cloudflare Configuration Rule specifically targeting your ConvertKit landing page. This is the preferred option, as it will allow you to downgrade the security of your landing page only, rather than your entire site’s.
Another option is to disable Cloudflare for the ConvertKit landing page. Under DNS, change all three of your landing page’s A records from Proxied (orange cloud) to DNS Only (gray cloud) . This should only be a last resort if nothing else works.