I feel like we need the angry goose meme here.
"But why are those providers returning incorrect data?"
In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.
These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.
The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.
This seems like a major design flaw in DNSSEC, if so.
(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)