Why HTTPS Matters.
Lighthouse flags pages that aren't on HTTPS:
Lighthouse waits for an event from the Chrome Remote Debugging Protocol indicating that the page is running on a secure connection. If the event isn't heard within 10 seconds, the audit fails.
In the Lighthouse report UI the full PWA badge is given when you pass all of the audits in all of the PWA subcategories (Fast and reliable, Installable, and PWA optimized).
Consider hosting your site on a CDN. Most CDNs are secure by default.
To learn how to enable HTTPS on your servers, see Google's Enabling HTTPS on Your Servers. If you're running your own server and need a cheap and easy way to generate certificates, Let's Encrypt is a good option.
If your page is already running on HTTPS but you're failing this audit, you may have problems with mixed content. A page has mixed content when the page itself is loaded over HTTPS, but it requests an unprotected (HTTP) resource. Check out the following doc on the Chrome DevTools Security panel to learn how to debug these situations: Understand Security Issues With Chrome DevTools.