Cloudflare’s scheme with PATs is essentially a form of attestation, which, realistically, will only be implemented by Microsoft, Apple and Google, and if you’re a Linux or BSD user which isn’t integrated with a device manufacturer, you’d just have no other choice.
This is an unpopular opinion, but Recaptcha has never had this problem. I might face a few more captcha image screens to solve, but what’s being proposed with PATs is dangerous.
Companies will realize the majority of abuse comes from humans completing CAPTCHAs and little to none from TPM attestations. It's then a small leap to only trust TPMs and lock everyone else out. After all, every genuine user has an OS that requires a TPM.
This is an unpopular opinion, but Recaptcha has never had this problem. I might face a few more captcha image screens to solve, but what’s being proposed with PATs is dangerous.