This was an interesting Cloudflare "feature" I found out about the hard way. Even if you only use Cloudflare for DNS hosting, they will happily accept proxied requests for your hostnames and route them to your origin. I discovered this when we received a L7 DDoS from only Cloudflare IPs - the attacker had pointed their bots at Cloudflare with our hostname (bold move!).
The official solution (and might be why you see the blocked page) is to set up the WAF to block all requests.
Yes, HTTP / HTTPS requests can be proxied this way. Any CF IP seems to work. HTTPS only works if the target hasn't disabled Universal SSL (i.e, they have a TLS cert provisioned on Cloudflare's IPs).
The official solution (and might be why you see the blocked page) is to set up the WAF to block all requests.