Thanks for the suggestion.

It is possible, but this degrades the experience for legitimate users.

We prefer solving this without impacting/taxing normal users if possible.

Just add the captcha only for requests coming from the problematic ASNs, like AWS.

edit: Actually, since you use CF, just make a firewall rule that forces the captcha for those ASNs before it even gets to your app. They have a field named "ip.geoip.asnum" for that, and an action called "challenge" which will force a captcha.