I set up a web server using catalyst and put it behind cloudflare fore security reasons, is there any way in catalyst to prevent a direct access using the server's ip address (thus bypassing cloudflare)?

Its a cloudflare question; answer is probably no, check with cloudflare

I think one could deny by default and whitelist cloudflare's ip ranges but I would like to know if there is a way to do it using catalyst itself? Maybe a way to formulate a controller for this case.

Yes, you can do pretty much anything you want, easiest option is is use Plack/plackup to load your catalyst app with a simple sub that checks IPs