Make sure you’re inspecting these response headers with logged out session and Wordpress site cookies deleted otherwise logged in sessions will bypass CF APO cache at least.
How are you doing page refreshes via CTRL+F5 or normal F5? You have
must-revalidate header for cache-control and on CTRL+F5 it will force a revalidation.
Also CF Wordpress APO doesn’t cache on no-cache requests and if you open web browser dev tool’s network tab make sure you do not have ‘disable cache’ checked as that forces a no-cache request to bypass Wordpress APO caching.
You can use a tool like HTTP Header Checker - Check HTTP Response Headers With curl | KeyCDN Tools to check outside of your web browser and any cookies it has saved and this tool Performance Test - Check URL Speed From 10 Global Locations | KeyCDN Tools to see geographical response headers when you click results down arrow to expand response headers
example in Sydney your page has been in cache for
age: 75743 - 75,743 seconds
In Frankfurt, cached page in cache for
age: 13161 - 13,161 seconds
Also the max cache time is only a guide. Cloudflare may purge cache entries which do not get frequent visits at all. Does you web site get much traffic - decent traffic should keep it within cache though.
Also if you’re on paid Cloudflare plan, you have access to Cache Analytics dashboard tab to drill down into your site’s cache status to see as well. Example of one of my Wordpress blogs with own custom CF Worker full page HTML caching. Filter cache analytic requests for HTML type, 200 status code only and exclude /wp-admin paths which are expected to not be cached = rough estimate of cache hit rate for full HTML page caching of Wordpress pages/posts.