After doing tests agsinst the origin server I think this might be related to the constellation between Cloudflare and the origin.
Tests:
$ curl -I -e https://www.archons.org https://bartholomew.foundation/wp-content/uploads/2021/06/column.jpg --resolve 'bartholomew.foundation:443:[CENSORED]'
HTTP/2 200
server: openresty
date: Wed, 26 Jan 2022 16:36:28 GMT
content-type: image/jpeg
content-length: 69024
accept-ranges: bytes
access-control-allow-methods: *
access-control-allow-origin: *
age: 0
cache-control: private, max-age=31536000
etag: "10da0-5ca38f476733b"
expires: Thu, 26 Jan 2023 16:36:28 GMT
last-modified: Mon, 23 Aug 2021 12:14:11 GMT
referrer-policy: no-referrer
x-backend: local
x-cache: uncached
x-cache-hit: MISS
x-cacheable: NO:Cache-Control=private
x-content-type-options: nosniff
x-frame-options:
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000; includeSubDomains
$ curl -I -e https://bartholomew.foundation https://bartholomew.foundation/wp-content/uploads/2021/06/column.jpg --resolve 'bartholomew.foundation:443:[CENSORED]'
HTTP/2 200
server: openresty
date: Wed, 26 Jan 2022 16:35:46 GMT
content-type: image/jpeg
content-length: 69024
accept-ranges: bytes
access-control-allow-methods: *
access-control-allow-origin: *
age: 0
cache-control: private, max-age=31536000
etag: "10da0-5ca38f476733b"
expires: Thu, 26 Jan 2023 16:35:46 GMT
last-modified: Mon, 23 Aug 2021 12:14:11 GMT
referrer-policy: no-referrer
x-backend: local
x-cache: uncached
x-cache-hit: MISS
x-cacheable: NO:Cache-Control=private
x-content-type-options: nosniff
x-frame-options:
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000; includeSubDomains
No matter which referrer it threw a 200 success code, but as soon as calling the same against Cloudflare it results in a 403. I think the best thing would be opening a ticket so the devs can have a look.
Please post the ticket id here so we can escalate it.