First-time poster here.
I stumbled upon a post from 2018 that talks about this very topic (link here: Cloudflare Access Hardening )
@MarkMeyer you mentioned that you are using Cloudflare as your source in your Foritgate Policy. My question is, what list of IPs are you using? Did you create an address object manually or did you use a built-in address object or internet service in your Forti?