

Odd. I just tried
and got
Enable JavaScript and cookies to continue
I’m clearly not on the same setup as you are, but my off-the-cuff guess is that your curl command was issued from a system that cloudflare already recognized (IP whitelist, cookies, I dunno).
Anyways, I’m reading through this blog post on using cURL with cloudflare-protected sites and I’m finding it interesting.
Bots lie about who they are, ignore robots.txt, and come from a gazillion different IPs.