Last week Cloudflare released privacy-first web analytics for free. For some reason, they failed to include information about CSP. Websites with strong CSPs need this information.
Here is what needs to be added to the CSP:
I figured this out through trial and error, which is not ideal. I hope Cloudflare takes CSP more seriously in the future.