Sorry, can I get a layman's translation? What prevents websites from using Privacy Pass to track user behavior? (Beyond determining who is and is not a bot.)
Basically, you fill a captcha once, and that gives 30 anonymous one-time-use tokens which are stored on the browser. The cryptography used ensures that there's no way to associate the one-time tokens between each other or back to the original captcha. Redeeming the token proves that you've already filled a captcha, and will bypass the captcha for that session.
Cloudflare is the one putting up the captcha-wall and deciding whether to forward your request to the destination site. Your browser sends Cloudflare a token, then if Cloudflare accepts the token, it forwards your request. The destination site does not see the token and so cannot use it to track you.
Since Cloudflare does see the token, it's reasonable to consider whether Cloudflare could deanonymize you across different sites. Privacy Pass uses cryptography that claims to prevent that.