Does the person who requests an SSL certificate must have their private key on their machine?
Yes. The client cannot present the certificate as their own in the SSL handshake without the private key, as a digital signature with that key is also part of the SSL handshake, to verify that the client owns it. If the client didn't need the private key to present the certificate, anybody could present anybody's certificate and the whole system would be completely pointless.
Is this going to work?
No.
Is it unsafe in some way?
Yes.
Is it okay to move like that from the client side to the server side the responsibility of creating the public/private keys for creating the CSR?
No.
Will this make the created certificate less useful in some way for the user?
Yes.
It isn't going to work. You have to find a secure way for the private key to exist on the client machine.
What you're proposing is completely and utterly invalid and insecure. The private key is supposed to be private to the person that owns it. If anybody else knows it, it cannot perform the function for which it is designed. Specifically, anybody who has it can impersonate the owner. People who design workflows like this are letting themselves in for a world of legal pain. Have a think about loss of non-repudiation for a start.