Greetings,
Thank you for asking.
If you are using a Cloudflare and a proxied 
DNS hostname (domain.com, www.domain.com …), it could be achieved by creating a Firewall Rule at Cloudflare Dashboard with which you can block all the requests where the User-agent contains the string of the ones you want to block at your domain/Website.
Furthermore, we might have to modify the expression a bit as far as Regular Expressions can be used on a higher Paid plan.
Nevertheless, we would be limited by the 4096 characters per a Firewall Rule we can use. Therefore, we might have to split it into two or more, we’d have to see.
Kindly, may I point you to the step-by-step instruction from link below how to manage Firewall Rules at Cloudflare dashboard (the referenced link includes pictures for better understanding, navigation and help):
Example of the Firewall Rule to block requests/traffic where User-agent contains a string or a part of it to your Website in picture:
Example expression (not full):
(http.user_agent contains "360Spider") or (http.user_agent contains "acapbot") or (http.user_agent contains "acoonbot") or (http.user_agent contains "ahrefs") or (http.user_agent contains "alexibot") or (http.user_agent contains "asterias") or (http.user_agent contains "attackbot") or (http.user_agent contains "backdorbot") or (http.user_agent contains "becomebot") or (http.user_agent contains "binlar") or (http.user_agent contains "blackwidow") or (http.user_agent contains "blekkobot") or (http.user_agent contains "blexbot") or (http.user_agent contains "blowfish") or (http.user_agent contains "bullseye") or (http.user_agent contains "bunnys") or (http.user_agent contains "butterfly") or (http.user_agent contains "careerbot") or (http.user_agent contains "casper") or (http.user_agent contains "checkpriv") or (http.user_agent contains "cheesebot") or (http.user_agent contains "cherrypick") or (http.user_agent contains "chinaclaw") or (http.user_agent contains "choppy")
Make sure the rule ist the 1st from above on the Firewall Rules list.
Nevertheless, a good example already exists. Consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:
Yes, above Firewall would block them.
But, we can create another one and make sure that one is with the action “Allow” and above the Firewall Rule which is blocking bad bots - or exclude them and remove from the “blocking” firewall rule.
Nevertheless, regarding “good bots” there is a list of known bots which we can define to bypass them and allow using cf.client.bot field as described on the following article from below: