May I ask you to check what option have you got selected under the Browser Cache TTL at Cloudflare dashboard for your domain name?
You could check this by navigating to the Caching → Configuration
→ I’d suggest you to set it (if already not) to “Respect Existing Headers”
Similar topic:
Furthermore, I’d not suggest you to protect “wp-admin” with a password as far as some plugins, including WordPress core uses some of the resources like JS or CSS files on themes, JSON, REST API, etc.
Therefore, you’d be asking for “username & password” each of your visitor.
There are much better ways to protect your WordPress admin dashboard / WordPress login using Cloudflare, if so.
If interested, I am sharing my post here which contains a lot of useful information about this topics:
I’d suggest you to take a look at Cloudflare Access / Zero Trust to protect your WP Login
