Just add the captcha only for requests coming from the problematic ASNs, like AWS.
edit: Actually, since you use CF, just make a firewall rule that forces the captcha for those ASNs before it even gets to your app. They have a field named "ip.geoip.asnum" for that, and an action called "challenge" which will force a captcha.
It is possible, but this degrades the experience for legitimate users.
We prefer solving this without impacting/taxing normal users if possible.