A combination of the issue described in the closed post here:
and the post/my comment here:
In summary: we just wrapped up a wild goose chase to address a bug with image uploads within a form. The symptom was a “missing CSRF token” error on form submission (a POST). Cloudflare triggered a Managed Challenge, and transformed/garbled/mangled the data before forwarding the request to our servers, hence the error.
Has anyone seen this before, or have any idea what might be happening? Or is it just a bug that needs addressing?
My advice if that you open a browser/tab in the security live events, by going to Security > Events and setting the time to Previous 30 minutes (Live updating).
Then try to perform the action you’re trying to perform and see if it triggers anything there.
(Depending on your traffic you might want to filter by client IP)
If you see any event being triggered there, then it’s only a matter of creating exceptions to allow it trough.
Exceptions to Managed Rules can be created under Security > WAF > Managed rules > Add exception.
If you do decide to create an exception, try to be as specific as possible. The broader the exception the weaker the managed rules get.
.