Do you see the bot even being challenged in your logs? To my mind, it’s infrequent to see bots pass captchas.
Sadly Super Bot Fight Mode is just plain right bad. Any webmaster that knows anything will tell you this, let alone the number of MVPs that have said similar things if not outright bashed it. People have also been asking for better editing of rules and whitelists etc., but nothing has occurred yet.
Like many here, use custom rules. Using the search function, you will find excellent examples and information. Some people here are very passionate about it.
Some examples that will net you more bot control are the following.
Ban Outdated Internet Browser user-agents - 3 years and onwards. You will see how many use strings from 5 to 8 years ago and be shocked. This is a big one I found in reducing bots big time. Most are too stupid to make fake user agents.
Ban anyone not using a known HTTP version, allow only HTTP 1.0, 1.1, 1.2, 2 and 3, etc.
Ban requests that are not needed, aka options, delete unless you need them. For example, WordPress users are only required to get, push and head.
Challenge or ban the top 10 worse asns and countries unless your customers / good traffic for AdSense comes from those countries. Spamhaus is your source = Spamhaus: The Top 10 World's Worst Spam Support ISPs.
Ban ASN’s that repetitively hit firewalls, wafs, and downright just malicious.
Challenge /Ban countries that you don’t cater to, alternatively challenge/ban the entire continent.
For example, your blog is about something dedicated in Australia, where all the countries in Africa really wouldn’t care, and most cannot even read the language or ling. Still, you get 30% of your traffic from Africa that doesn’t seem right. Instant challenge in my mind to all and see the bots get squatted.
Ban anyone with a threat score greater than 5, lower as needed, but test with JS / HCAPTCHA first if you go low.
These are just a few examples where you can destroy the bots, leaving the super bot mode as, yeah, I won’t say anymore. Also, many more examples in the forums.
Ensure to allow all known CF bots before any of the rules, and this will bypass and help reduce any good bot false positives.
Don’t get me wrong, CF can handle bots, but you need to pay an enterprise service to have any real control.