Good question, there are quite some differences.
The reflexive access-list can match on L2-L4 attributes, just like the normal extended access-list. It’s quite “dumb” since the only thing it does is track the outgoing traffic and creating an access-list entry automatically that reverses the source / destination IP and port numbers. This works for traffic like HTTP but not for applications with dynamic port numbers.
CBAC is a lot smarter, it can match up to L7 attributes and supports a wide range of protocols. The reflexive access-list and CBAC are both configured on the interface level.
The Zone based firewall is like CBAC on steroids, it has more features and instead of configuring it on the interfaces, we create zones and zone-pairs. Interfaces are assigned to zones and security policies are assigned to zone-pairs. This is a much more scalable method.