This is an IP address. It’s an IPv6 address. While it doesn’t look like an IPv4 address it’s no less valid. An IP address correlates a user to an IP address. Because there is a limited IPv4 address space space companies and telcos have resorted to using things like NAT where multiple machines share the same IP address (normally from your home internet all users have the same IP from an external perspective).
Imagine for a moment that you have a rogue user visiting your site from a popular coffee shop in town and he does something that causes his IP address to be blocked by Cloudflare. When you go to the coffee shop suddenly you are blocked as well because the IP address reported is not actually that of the visitor, but that of the coffee shop’s internet connection.
Wouldn’t you rather block the individual user who was acting maliciously? With IPv6 there are many more addresses so NAT is no longer necessary and each device gets it’s own IP address.
Unless you have an application which doesn’t support IPv6, preventing your website from allowing IPv6 native connections has noting but downsides in terms of performance and availability. Can you disable IPv6? Yep, you’ll need to use the API though to make the change.
You could try to block 2a01:116f:405:2100::/64, though keep in mind this will block 18 quintillion hosts, so maybe a captcha challenge might be better, unless the user can solve them of course.
What you could try is play with Cloudflare’s pseudo IPv4 address - Eliminating the last reasons to not enable IPv6 - but I doubt that will get you far either. You are referring to an address space of 14 quintillion addresses here, you wont be able to pack this reasonably into an IPv4 address.
Blocking a single IPv4 address, or an IPv6 /64, often has a similar amount of collateral damage.
In residential situations, the typical assignment sizes are one IPv4 address, and a /64 to /48 IPv6 range (probably usually at the smaller end of that). (When IPv6 is available at all.)
On the other hand, it’s not unusual for a /64 to contain thousands of users.
Your firewall rule syntax is incorrect. You have used an AND operator where you should be using an OR operator. You should either change the firewall rule to use OR (a user doesn’t have multiple IPs simultaneously for a given connection) or use the IP access rules under Firewall | Tools to block each address individually.