Cloudflare attempts to guard sites using it against malicious traffic. To figure out if traffic is malicious, it has to sort out the "smell" of it: is it probably legit, or is it probably a known scraper / a penetration test attack / a DOS attack?
Some of that is done by inspecting the shape of packets but to figure out if, for example, a sudden spike in QPS is a legit novel interest in the data stored at the resource or a DDOS attack, Cloudflare's automated system will try to figure out if multiple incoming requests are actually from the same source and will throttle them all if they're determined to be hostile. Because, well, that's how you guard against DDOS in an automated fashion.
And in the middle, when Cloudflare can't determine the shape of the incoming traffic, it'll hit it with more scrutiny to check if it's automated. So if you're browsing with Tor, Cloudflare doesn't have a history on your requests to decide if they have a good past-behavior pedigree, so it ups the scrutiny: it'll try to cookie you and it'll throw up more CAPTCHAs to make you prove you're a legit human user of Tor and not someone trying to use Tor to hide a DDOS.
Still amazes me that Tor exists simply to hide American (and no doubt other Five-Eyes) spies among the ‘privacy advocates’ and others.
I admit, I used to believe in the ‘Tor mission’ for years and years.