Why am I getting a CSRF Token Verification Error when submitting a post request using Django?

Question

I have a simple form to send an email to my personal email. I'm able to send the email fine in the development environment, but in the production environment (I use Heroku and the Mailgun addon for hosting and Cloudflare for my domain) I get a 403 Forbidden Error. Heroku provides my SSL certificate for my site.

I checked my middleware is in the correct order, and I have my production environment settings as follows:

DEBUG = False

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

ALLOWED_HOSTS = [
    'anonymousdomain.com', 'www.anonymousdomain.com', 'pointer1.herokudns.com', 'pointer2.herokudns.com']

DATABASES = {
    'default': dj_database_url.config()
}

EMAIL_HOST = os.environ.get('MAILGUN_SMTP_SERVER', '')
EMAIL_PORT = os.environ.get('MAILGUN_SMTP_PORT', '')
EMAIL_HOST_USER = os.environ.get('MAILGUN_SMTP_LOGIN', '')
EMAIL_HOST_PASSWORD = os.environ.get('MAILGUN_SMTP_PASSWORD', '')

I checked the headers when making the request and the origin is the same as the referrer except the referrer has a trailing slash at the end of the domain but I don't think that should be an issue (e.g. the origin is https://www.anonymousdomain.com and referrer is https://www.anonymousdomain.com/).

My allowed hosts is allowing all the domains and domain pointers that I use in my DNS (the one's given by Heroku when you add a custom domain) as well. The only thing I can think of is the layer of headers that may be getting added to my site because I'm using Cloudflare and they use proxying for DNS records. Also, the email form was working fine before I added SSL certificates to my domains via Heroku, but I'm not sure why that would cause any issues. If anyone could help I'd be greatly appreciative.

I tried adding the CSRF_COOKIE_SECURE = True to my production environment settings but that didn't make any difference. I checked my middleware order, my HTML, and my ALLOWED_HOSTS setting and they all seem to be fine. I haven't tried much of anything else because I'm not sure where this issue is originating from.