After searching around Heroku doesn’t seem to have a true firewall that allows whitelisting certain IP blocks, it also looks like it doesn’t support client certificates so you likely can’t use Authenticated Origin Pull.
One thing you can try is an application-level firewall. Add a middleware or some entry script that checks for the client’s IP address to originate from Cloudflare IPs and return something like a 403 error if the client’s IP address is not from Cloudflare. If you use Node and Express you may be able to use express-ipfilter as your firewall, or use its source code as a reference when building your application-level firewall.