I happen to agree that this is a bad use of attestation (as well as a pointless one, since it’s cheaper and easier for a click farm to do attestation with a bunch of yubikeys than to contact out CAPTCHA solves).

However, I don’t really think it’s an indictment of either WebAuthn or attestation more generally: as pointed out, most public services do not (and probably will never) require attestation. The winds are against it more generally: non-attestation flows are easier to implement, and WebAuthn adoption is increasingly driven by authenticators that don’t necessarily offer useful attestations (e.g. on-device and virtual tokens). Most future users of WebAuthn won’t have physical keys of the sort that Cloudflare’s scheme will require.