Comment by doctorpangloss

apple has blessed cloudflare WAF with backend access to the apple ID service tokens that they manage for things like iMessage authenticity

I think it has also blessed Amazon's WAF

Cloudflare has a turnstile product that i'm sure uses this apple IDS token

Mobile Safari generally is not shown Cloudflare captchas or similar because of Apple-Cloudflare cooperation. it's not complicated.

Apple calls it a "Personal Access Token" but that makes it sound more like a DRM scheme - which it sort of is, it is managing your right to a free-as-in-beer access scheme - than a broad web integrity environment solution