Did you specifically set a WAF rule to turn the security score to effectively off for Tor users? I had to do this in order to prevent them getting hit with a captcha each time