After confirming twice with Cloudflare, there does not seem to exist a feature that restricts the IPs that can query a DNS zone. Currently, the only way to do that would be to own the DNS servers and put an ACL in front of them. When it comes to public domains, managed cloud solutions such as Cloudflare are great but these come with a drawback; in this instance, less management power.
It would be good to be able to allow specific IP addresses to query a specific DNS zone, should this zone need to exist publicly (for multiple reasons) and contain records pointing to internal resources.
IP addresses not in a whitelist, in this scenario, would be returned a 403 Forbidden - or such - error.