They can choose not to cache and pass each request to the customer's server, but the traffic is still going through their network. Not caching or letting DDoS requests reaching the customer's server doesn't stop using their bandwidth or lower the load on their systems. For that, they need to stop accepting traffic to that domain.
In this case I believe they simply blocked the sub-domains being used as CDN for other sites (which breaks their ToS). They didn't point the domain directly at the origin server (which would expose the original IP) or throttle the traffic (again, wouldn't reduce the load on their system).
My understanding is that what OP was doing is allowed on a higher plan, but like any other CDN, it costs more than the $20/month plan OP was using. Still, a warning and a few days to deal with the problem would be better for everyone: OP wouldn't have downtime and Cloudflare could be making more money. Instead they lost a customer and have some bad PR.
