Cloudflare is the one putting up the captcha-wall and deciding whether to forward your request to the destination site. Your browser sends Cloudflare a token, then if Cloudflare accepts the token, it forwards your request. The destination site does not see the token and so cannot use it to track you.
Since Cloudflare does see the token, it's reasonable to consider whether Cloudflare could deanonymize you across different sites. Privacy Pass uses cryptography that claims to prevent that.
Since Cloudflare does see the token, it's reasonable to consider whether Cloudflare could deanonymize you across different sites. Privacy Pass uses cryptography that claims to prevent that.