The website owner (or cloudflare in this case) has the keys to decrypt the client hello. That's necessary for routing information.

By decrypting it? I don't think you know how TLS, or E2E works in general. ISP doesn't perform the fingerprinting, the server does.