Considering you wrote
CF_CONNECTING_IP I assume you already ruled out the possibility of a direct connection, bypassing Cloudflare, correct?
Your access rule looks all right so either the IP is for some reason not recognised as belonging to this AS or there is some other glitch. Have you check your firewall events? Also, can you post a log excerpt from such a request?
i also verified
REMOTE_ADDR server variable in php which all belongs to CF network. so the requests are legit, not header spoofing.
i have custom log so i can only share some ips which appears to belong to AS9009
they are coming from multiple country while having same ASN