AppleInsider explains Apple’s new Private Access Tokens (PAT) tech announced at WWDC:

Using a new HTTP authentication method called PrivateToken, a server uses cryptography to verify a client passed an iCloud attestation check.

When the client needs a token it contacts an attester — in this case, Apple — which performs the process using certificates stored in the device’s Secure Enclave.

I’ve been waiting for someone to kill CAPTCHAs for us, but this will be an Apple-only solution for now:

The company is working to help make Private Access Tokens a web standard, but there is no mention of tokens working on Android or Windows. People on those platforms may have to put up with CAPTCHAs, for now — or wait for Microsoft’s and Google’s work on the matter.

I believe this is the draft of the standard that they’re referring to. Cloudflare also has a nice article on their work in this space.