The only potential problem is that Cloudflare doesn't check the validity of the herokuapp.com cert, so in theory someone could MITM the connection. In practice, I'm not sure how you'd even get Cloudflare to connect to the rogue proxy, short of taking control of the DNS of *.herokuapp.com.
That's not true, when you setup crypto in cloudflare you need pick between "Full SSL (Strict)" which requires a valid certificate, and "Full SSL (non-strict)" which allows you to use a self-signed certificate or what not, but there's no reason you should be using that mode if you already have a valid certificate (as is the heroku case).
"Full SSL (Strict)" doesn't work with the certificate provided for free by Heroku:
By default Heroku offers a wildcard SSL certificate which only covers
‘*.herokuapp.com’. This means that ‘Full SSL’ can be utilized as a default,
which does not require that the SAN contains your FQDN. To utilize
Full (Strict) you will need to add your own SSL certificate to your
Heroku app, which can be done by using their ‘SSL Endpoint’ add-on.
