Since you mentioned changing the nameservers, I assume that you’re not using the CF Registrar for this domain. I have done some testing of this scenario as well, and changing the nameservers to non-CF ones seems to make the CF system change the status of DNSSEC from pending to actually disabled. Then change back to the CF nameservers, and now you should be able to enable DNSSEC. CF will give you the values for the DS record, so go to your registrar, add the DS record as instructed and DNSSEC should start working. At least in my testing this procedure fixed it.
It would be really helpful if CF actually cancelled the setup when you told it to, but at least there is some sort of workaround. In my case, where CF is the actual registrar for the domain, I haven’t been able to find a workaround. CF is supposed to either add the DS record for the domain, or cancel the DNSSEC setup, but it does neither, so it’s stuck and I can’t do anything about it.
There’s another bug in the DNSSEC setup process that I found. CF often shows different statuses of DNSSEC between refreshes. In one instance, it was showing 3 different statuses (disabled, pending setup and pending cancellation) in the span of a few seconds when I was refreshing the page without pressing buttons. If I were CF, I would audit the relevant code in its entirety, fix the bugs and thoroughly test the functionality.