While this is definitely a great read and an interesting attack vector, I think the term „deanonymization“ is stretching it here.

As far as I can see, this attack would only let you determine which Cloudflare datacenter the target has been accessing. This would, in most cases, be one near the target, but it wouldn‘t get you a precise position or any personal information about the target. You‘d just get a pretty unreliable and very large radius of where your target might be.