The IP addresses rarely change. So blocking by IP address still is a good option.
But Authenticated Pulls are certainly a possbility too. What that is, is essentally just the proxies using client certificate authentication to authenticate themselves against your server. Like with the IPs you just need to make sure you have the current certificate in place. IIRC the previous certificate expired this year and a lot of people complained here that there sites aren’t working any more (obviously, with an expired certificate).
Also, that kind of authentication requires your site to be on HTTPS. That is not necessarily a bad thing, but it is something to consider as well. You won’t be able to use HTTP any longer.
You nonetheless might want to restrict access to Cloudflare however, as you could still leak your domain name via SSL, especially if the certificate is the default one and not just configured via SNI. Another thing to consider is any potential DDoS attacks against your SSL port. These might be easier if your server accepts connections compared to when it only accepts Cloudflare connections.
Apart from that, you should be good to go. And, yes, it is a good idea to change the IP address, especially if it has been already archived for your domain somewhere.