After the IPsec Tunnel is established between FortiGate and Cloudflare Magic WAN, IKE/IPsec traffic continues to flow over UDP port 500 even if NAT-Traversal is forced.

FortiGate will initiate IKE traffic over UDP Port 500 first, (for both IKE v1 & v2) and then switch to UDP 4500 if NAT-T is forced or if it detects that FortiGate is placed behind a NAT device.

According to Magic WAN documentation, if the router is behind NAT and requires NAT traversal (NAT-T), then the router must initiate IKE communication on port 4500. NAT-T is not supported for IKE sessions which begin on port 500 and then switch to port 4500.
Magic WAN IPsec documentation: GRE and IPsec tunnels.

To start the IKE sessions directly on UDP port 4500, configure the IKE Port in the system settings:

config system settings
    set ike-port 4500
end

Important note:

The change is applied globally and it will affect all IPsec connections. This feature works only with IKE version 2 and this option must be configured on the other remote peer(s).

Related documents:

Technical Tip: IPSec VPN NAT-traversal

Administration Guide: Configurable IKE port