In order to function, CDNs have to act essentially as giant opt-in MITM services. When you setup a CDN in front of your site, you will either need to give them your cert, or let them issue a cert (e.g. via let's encrypt).
If they can serve your site with https normally, they can serve any content they want under it.
This is about CFs public DNS resolver though, and not every domain they're ordered to stop resolving will also happen to be served though their own CDN. In this case it was, which explains how they're able to serve a 451 error over HTTPS, but that won't always be the case as the article implies.
In some other cases I suppose they could downgrade the connection to HTTP in order to show their 451 page, but if the domain is HSTS'ed then that wouldn't work either. That'd have to just black-hole the query like Google does.
If they can serve your site with https normally, they can serve any content they want under it.