Since you’re trying to compare a host based L7 WAF as addition which gets with the paid WordPress plugin, which works on a PHP and depends on the availability of the origin host which can be overwhelmed by the HTTP reqeusts, etc., with an Cloud WAF such as Cloudflare, I cannot tell for sure.
It’s like Wordfence or BBQ firewall for WordPress vs Cloudflare WAF on a Pro plan.
It is good to have host-based firewall, or at least a plugin for WordPress as you stating alongside Cloudflare.
Cloudflare, if configured propperly, can block a dozen more than single PHP WAF, due to the possibly server CPU overload to handle so much requests in case of a DDoS or vulnerability scans.
Unfortunately, I have no experience and clue about how Quic Cloud CDN WAF works, neither how it is integraged via the paid plugin
Can argue, can agree, however I am always going with approach as follows:
Lock your host/origin server via UFW (at least) and configure iptables if possible
Setup and configure web server protection, such as ModSecurity rules or other related htaccess file for Apace, vhost/nginx config file for Nginx in web server config file to prevent and possible bypass to the PHP further
Have Web application firewall, if running CMS such as WordPress, any kind of a security plugin (working over the PHP) would be of help, like Wordfence, BBQ, etc.
Put your domain behind a proxy such as Cloudflare and leverage benefits, tune-up what you need for your own case
Some articles which I found and might be helpful to you: