Nothing stops you from signing your own tokens, but if you want those tokens to actually help you get past CFs WAF then you have to convince (or pay) them to trust you. It's kind of like how you can sign your own public TLS certs, but they won't do you much good if the browser vendors don't trust them.