Isn't that a bit optimistic? The captcha might have driven people away. Especially on mobile i'm not too keen on clicking photo tiles containing storefronts. Is there a way to detect false positives?
You said you get it from the traffic you serve, but wouldn't this be a privacy issue? If I host a wordpress blog and use cloudflare, does that mean there's the possibility of a human reviewing a login request, potentially revealing a user's password?
(Disclaimer, I use cloudflare for personal projects, and yes I know cloudflare could be recording/MiTM everything anyway - and they need to MiTM to provide their service, however I generally trust them)
For the purposes of machine learning we can do something like this: as a request passes through us see if it's a POST to /wp-admin or similar, see if the response is 200 or 302 (which would tell us if the login worked or not). All that's done by code not people. Use that as a label "good login" or "bad login" and then see if there are lots of "bad login" events for certain characteristics and use that to predict what's a bot.