Correct. Ideally if Cloudflare is in front providing DDoS deterrence it should be handling this rather than passing it through.
When the server performs a block, it sends a SOCK_DESTROY command over netlink, so these connections matching the offender’s IP will be immediately closed. Trouble with blocking upstream in Cloudflare is that the blocks applied to its API are per-account, so you would need to know your client’s Cloudflare credentials. In single-role setups where all domains on the server are managed by Cloudflare this is possible but infeasible on multi-tenant installs.