Basically, what happens is that Google stores the response with a signature signed by your server’s certificate (Cloudflare’s certificate) on their CDN. When Google serves the AMP page, it includes this signature with the AMP page. If the client (web browser) implements signed exchanges, it will show the “canonical” URL in the address bar instead of the
google.com/amp cdn. Your traffic will still never hit your server, or even Cloudflare’s analytics with real URL.
In order for the address bar to actually be replaced, it is up to the client (webkit, chrome mobile, firefox mobile) to implement signed exchanges. Even when CF turns on real URL for every zone, if Safari doesn’t implement this, it’ll effectively be dead in the water, at least for traffic within the United States (iPhone market share is much higher here), but less of an issue for other countries (android generally has more market share elsewhere).