You can block WordPress xmlrpc.php requests from Cloudflare but exclude the JetPack IP addresses by creating a custom firewall rule, attacks on xmlrpc.php are frequent and it is best now disabled as it will be deprecated from WordPress in the future.
However, some of the more popular WordPress plugins such as JetPack still need to access xmlrpc.php so you may need a custom solution to make it available.
Fully Disable xmlrpc.php
add_filter( 'xmlrpc_enabled', '__return_false' );
Check that xmlrpc is disabled with this online validator.
Partially Disable xmlrpc.php localhost
You can restrict usage by partially blocking access to xmlrpc.php by adding a rule in your .htaccess file
<Files xmlrpc.php> Order allow,deny Allow from 220.127.116.11/18 Deny from all Satisfy All ErrorDocument 403 http://127.0.0.1/ </Files>
So only IP addresses in the range of 18.104.22.168/18 can access xmlrpc.php – which is part of the JetPack IP address range.
Partially Disable xmlrpc.php at Cloudflare but allow JetPack
With the free Cloudflare you can add up to five custom firewall rules, create one to block all IP addresses apart from JetPacks to deny access to any query string that contains xmlrpc.php
JetPack IP Address Range
Now you can check the activity of the firewall rule by clicking on the Activity last 24hr link in the rule – also verify your xmlrpc.php is disabled by visiting the online validator.