The thing that strikes me is that they bring up Privacy Pass (https://privacypass.github.io/) as related work, and while I've never been completely, totally on board with Privacy Pass, I also feel like the reliance on hardware/OS verification checks here is strictly worse than what Privacy Pass is offering?
Forget the user experience for a second and privacy implications (Privacy Pass at least seems to be mostly hardware independent and can work on any device/browser that implements an extension, which has comparatively fewer negative implications for a competitive indie web ecosystem) -- speaking purely as a website operator, hardware checks seem strictly easier to game than a CAPTCHA. So even if I'm not a user trying to use a device that doesn't have these attestation schemes built into it, if I'm an operator wouldn't I prefer to have a protection that's harder to bypass by a click farm?
I'm not saying I would be completely thrilled with Privacy Pass either (CAPTCHAs in general are accessibility problems). But should I be thrilled about a version of Privacy Pass that (as far as I can tell) inherently must be more invasive to my hardware, and that isn't guaranteed to work on every device/browser that I use?