Refusing to do so reads to me like it could be conflict with the CA/B rules for certificates, but I'm not too familiar with the interpretation of these clauses. Could be an interesting question to post on the CA/B mailing list at least.
referencing Section 4.9.1.1 Reasons for Revoking a Subscriber Certificate
If CF sees OP as the subscriber of the certificate,
> The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:
> 1.The Subscriber requests in writing that the CA revoke the Certificate
If CF considers itself the subscriber (since they are getting the certificate for their servers, this seems more likely):
> The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days if one or more of the following occurs
> [...]
> 4. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g.a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, --> a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, <-- or the Domain Name Registrant has failed to renew the Domain Name);
Applicant: The natural person or Legal Entity that applies for (or seeks renewal of) a
Certificate. Once the Certificate issues, the Applicant is referred to as the Subscriber. For Certificates issued to devices, the Applicant is the entity that controls or operates the device named in the Certificate, even if the device is sending the actual certificate request.
Subscriber: A natural person or Legal Entity to whom a Certificate is issued and who is
legally bound by a Subscriber Agreement or Terms of Use.
Subscriber Agreement: An agreement between the CA and the Applicant/Subscriber that
specifies the rights and responsibilities of the parties.
Sure, Cloudflare certainly can request in writing from the CA to revoke the certificate - but in this case the problem was that they did not, right? Your best bet would be to email DigiCert directly under BR 4.9.2 (Who can requst revocation) at revoke@digicert.com [0], citing termination of the contract between you as the Domain Name Registrant and the Subscriber (i.e. 4.9.1.1 pt 4 as mentioned in the parent comment).
CloudFlare's Universal SSL certificates used to be shared between multiple unrelated accounts by SAN stuffing, so back then they definitely wouldn't have given out the private key. I think this may have changed since I last saw a CloudFlare certificate with >100 SANs for various unrelated sites on a client's certificate around 3 years ago. The certificate from the post is not shared, and I can't find any other Universal SSL certificates that are shared now. This support article still suggests they're shared, however [0].
They likely didn't give clients the private keys before simply to save costs by reducing the number of certificates they had to issue. Now that they're not sharing certificates, it's probably just a way to extract a little more money from customers.
referencing Section 4.9.1.1 Reasons for Revoking a Subscriber Certificate
If CF sees OP as the subscriber of the certificate,
> The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:
> 1.The Subscriber requests in writing that the CA revoke the Certificate
If CF considers itself the subscriber (since they are getting the certificate for their servers, this seems more likely):
> The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days if one or more of the following occurs
> [...]
> 4. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g.a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, --> a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, <-- or the Domain Name Registrant has failed to renew the Domain Name);