The problem with this is that Apache still has the wrong IPs, meaning you can't set up IP-based access rules, and the web logs will be wrong. Any Apache-level restrictions, like some kind of DDOS filter, would not work. Investigating a hacker's trail would be harder or perhaps impossible. I'm not very comfortable with that as a supported solution, although what you propose is technically fine.

Oh right yes, there's another reason why we didn't do this, something MUCH more concerning...

If there is no Cloudflare module on the server, then that means this IP is coming from an HTTP header. That means it is trivially forged by a hacker, with no negative consequences to them. If they managed to find the IP address of an admin, and session ID of an admin, they could steal that admin's login session. Finding the IP would be easy, just get them to view an image off their own server for example. Finding the session is much harder, but theoretically the admin could be tricked into it somehow.

So I'm not comfortable with the security degradation this represents.