FWIW, WordPress uses the Vary: Accept header for a number of apis and it seems to always work fine behind cloudflare and runs a sufficiently large portion of the internet. But, you're telling me I can hit all these site's public api's that are behind cloudflare and start a DOS by simply sending an uncommon ACCEPT header? Sounds like an easy way to pressure cloudflare to 'do the right thing' if you own a botnet.

Anyway, I guess this is yet another reason to not use cloudflare. Thanks for your comment.