For suggesting an altogether better solution, it would be helpful to know whether the principal purpose of the login CAPTCHA is 1. preventing bruteforce of luser passwords, or 2. locking out spambots which make automated posts. I suspect (1), and thats less difficult to address: It does not actually require distinguishing bots from squishy wetware.
According to cryptome the login CAPTCHA is useful for de-anonymizing of Tor users.
https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm
More secure alternative means of login would sufficeno, Im not thinking 2FA (which I hate), but rather, public keys. (2) does require distinguishing bots, which definitionally requires a Turing test. Ouch.
Your public keys idea sounds interesting. Alternatively giving each tor user a unique message to sign from a bitcoin address associated with their account might work.