HTTPS GitHub Pages DNS to Enforce SSL
Strictly speaking, it's not necessary for you to verify that you have control of the parent namespace, i.e. the superior domain for which you have requested a TLS server certificate or to implement CAA.
Let's Encrypt will automatically issue the certificate via GitHub Pages automation as long as the common name in the signing request generated by GitHub resolves to the GitHub Pages server IP address. So, troubleshooting: is that the case? Is it working without Enforce HTTPS enabled?
The automation to request and issue the server certificate does entail a significant workload at scale, and so it is conceivable too as you suspected that there is simply a delay in issuance.
The Let's Encrypt bots at GitHub MUST see the GitHub IP addresses in order to create the certificate dynamically. Consequently, if you're using Cloudflare (or similar), you'll need to unproxy the CNAME's pointed to GitHub, so that the robots see GitHub IP's and not Cloudflare (or other) IP addresses.
Once the Let's Encrypt robots confirm that the route is pointed to their own infrastructure, then the certificate will be properly created and setup for that custom domain name.