Which presumably only works if your site is using Cloudflare? Since you wouldn't be MITMing SSL in order to inject this header?

This is correct. It's significantly harder to inject the origin IP into a TCP stream. We have ways [1] of doing it, but it requires some coordination on both sides.

1- https://blog.cloudflare.com/mmproxy-creative-way-of-preservi...

Have you considered enabling this out of band? For example as a network administrator I could verify a CIDR block and receive a real time stream of 5-tuples (err, 7-tuples with the proxy?) destined to my network.