This is the expected behavior. If there is a policy blocking rule in place, the request for the OCS server (https://example.com) never reaches this server and therefore is unable to present this server's certificate. Content filtering policy is enabled by Cloud Proxy. When policy failures are detected and an error is generated to the user-agent, this proxy is acting as a Web server, hosting the error pages to be rendered. For this reason, the user sees the Cloud Proxy certificate, whether SSL interception is enabled or not.

This is different if there is an ALLOW rule in place, since then, the request is examined by cloud proxy and passed over to the OCS server (https://example.com) and the website returned is example.com website containing this server's certificate.

Note: if the same URL (https://example.com) is also added to content/malware scanning exemption bypass, the behavior will be different.
Adding a URL into Content & Malware Analysis -> Scanning Exemptions, disables protocol detection.
(ref: Disable protocol detection on Cloud SWG portal policy)

With Protocol detection disabled, Cloud SG have no means of knowing what type of traffic is being sent to it, and it does not attempt to examine this traffic at all and will essentially work as a TCP proxy.
This means, policy will not apply reliably to destinations for which protocol detection is disabled, unless these policies are purely based on IP addresses.