The article does not mention that the construction there (and ones like it) are vulnerable to a one-more-signature attack if parallel queries are possible-- which is easily a fatal vulnerability in the headline digital cash application for blind signatures.
Contrast this with salted hashing where leaking the hash doesn't directly lead to compromise.
Could you use a blind signature to construct a rotating code 2 factor scheme where leaking the server credential doesn't lead to complete compromise?
TOTP and U2F keys aren't cross-site, and they don't occupy any space in the user's brain. They can be treated as ephemeral and effaced and regenerated. So we're not generally that alarmed at the prospect of them appearing on Pastebin, modulo of course the implications that has for the rest of our security.
Almost every realistic scenario in which TOTP/U2F keys are leaked implies that all serverside security has been lost anyways, so protecting the keys themselves is a secondary concern. Any reasonable site operator would invalidate all stored keys after such a compromise.
By the way: salting hashes doesn't really protect against password recovery. In modern systems, it's "stretching" that does the real work. You should be using a modern password hash like bcrypt or scrypt, not simply randomizing a standard cryptographic hash.
Even an eyeball test shows the value of salt. Here are 4 million usernames and hashed passwords. Oh, 86000 of them have the same hash. Ok, those 86000 users have some easy to guess password, we'll break that first.
And you don't "break a password first". You brute-force and compare against all of the hashes.
Off hand I don't imagine it's possible to do that this way, but there is a challenge-response authentication scheme that does guarantee (if you use it correctly) that compromise of the server credentials does not allow you to impersonate clients to the server. It's called SCRAM-SHA (RFC 5802, RFC 7677) and uses client and server nonces to provide the session uniqueness property (authentications can't be replayed).
Leaking the server credentials (StoredKey, ServerKey) does not lead to compromise (obtaining the ClientKey) under this scheme because StoredKey = H(ClientKey) and reversing H() is hard.