It's probably not a deliberate attack, but consider the incentive structure and the goals here.
Cloudflare is a site protection service. Their goal is to keep malicious traffic from griefing their customers. To do that, they have to distinguish malicious and non-malicious traffic. That becomes a game of trust, and if the user agent is masking its signal (or, more generally, making its signal less distinct) in the interest of privacy for its user, there are fewer trust hooks for Cloudflare to use to distinguish legit Firefox-shaped traffic from attacks.
Ironically, attempting to keep oneself anonymous can make one lest trustworthy. The server is always at liberty to refuse to serve.
Cloudflare is a site protection service. Their goal is to keep malicious traffic from griefing their customers. To do that, they have to distinguish malicious and non-malicious traffic. That becomes a game of trust, and if the user agent is masking its signal (or, more generally, making its signal less distinct) in the interest of privacy for its user, there are fewer trust hooks for Cloudflare to use to distinguish legit Firefox-shaped traffic from attacks.
Ironically, attempting to keep oneself anonymous can make one lest trustworthy. The server is always at liberty to refuse to serve.