@Kevin I owe you big time!
This has been driving me crazy for months, across 4 different installations of Ghost.
I just added a page rule in Cloudflare to disable the firewall when trying to access ‘/ghost/api/v3/admin/settings/’ and I can now save code injections.
My only question now is… is this safe?