Caching is completely useless as a replacement for rate limiting. Simply add a bunch of nonsense to the url, or change query parameters, and you will bypass the cache.
Cloudflare does offer rate limiting - it's in Security / WAF / Rate limiting rules.
On the free plan it is perhaps a bit limited in the rules you can create (match based on bot or URL regex, limit by # requests per IP per 10 seconds). But still pretty useful for slowing stupid requests.
And / or you can use Transform Rules to better normalize the Origin URLs so that the query string or other path info doesn't create new origin requests. Or more simply, enable Ignore Query String in the Cache Settings.
Caching is completely useless as a replacement for rate limiting. Simply add a bunch of nonsense to the url, or change query parameters, and you will bypass the cache.