You're still accessing the file via their network, so for them it's probably cheaper to actually cache the file so they don't have to hit the origin server every time a request comes in.
So, if they want to penalize a customer, it's pretty trivial for them to route those excessive requests around their cache and directly to the customer's server. Cloudflare can choose to dump a ddos they're mitigating on their customers whenever they feel like it, so why the hell not throttle or redirect their own throughput when it's in their financial interest or people aren't paying enough for it?
They can choose not to cache and pass each request to the customer's server, but the traffic is still going through their network. Not caching or letting DDoS requests reaching the customer's server doesn't stop using their bandwidth or lower the load on their systems. For that, they need to stop accepting traffic to that domain.
In this case I believe they simply blocked the sub-domains being used as CDN for other sites (which breaks their ToS). They didn't point the domain directly at the origin server (which would expose the original IP) or throttle the traffic (again, wouldn't reduce the load on their system).
My understanding is that what OP was doing is allowed on a higher plan, but like any other CDN, it costs more than the $20/month plan OP was using. Still, a warning and a few days to deal with the problem would be better for everyone: OP wouldn't have downtime and Cloudflare could be making more money. Instead they lost a customer and have some bad PR.