I think that making a simulation is the best way to determine if you are dealing with a snake oil salesmen or not. Due to the fancy wording that all vendors have to use, it’s very hard to tell which one is relevant (this applies to all security fields really).
I advise reaching out to Cloudflare and asking them for permission to perform a controlled attack on your domain, chances are that they won’t mind about it.
Note that you want to hire a professional service for this, using online tools or sketchy services won’t give you any real insight nor feedback other than “welp, my site is now unavailable!” or “everything works, great!”.
If you need something to work from, Link11 has a great service that achieves DDoS testing that adapts to what you’d see in real-world attacks.