If you're just pinging the endpoint without providing the necessary header then you are effectively a bot in this case. If you go through the motions to fill out the form and then submit it you're at least not explicitly telling the service you are going against its wishes by pinging the API directly.
As for the challenge, that seems to be within Cloudflare's implementation which then returns the token to submit with the form. HIBP then verifies the token to make sure its a match before checking for the data and sending a response.
As for the challenge, that seems to be within Cloudflare's implementation which then returns the token to submit with the form. HIBP then verifies the token to make sure its a match before checking for the data and sending a response.