I think what parent is saying is the DNS request could have gone to your domain but the TLS handshake and HTTP POST could have contained another domain, because your site and the bad actors server could both be behind the Cloudflare CDN, which would handle both transparently.
No, I mean the initial HTTP request can go to some other site, which can then issue a redirect to anywhere it pleases (i.e. to exchangerate-api.com).
If you're running a malicious service and you want to throw people off the scent, one common strategy is to redirect to random legitimate services so that anyone investigating thinks you're part of the other service.
