This article describes that the reCAPTCHA functionality on websites is based on embedded Google security verification, which verifies that reCAPTCHA solutions are originated from the original list of domains defined for the service.

(https://developers.google.com/recaptcha/docs/domain_validation).

When using the SSL VPN web mode, FortiGate hosts a proxy to the customer's website, and the domain that sends out the request to the Google reCAPTCHA would be the FortiGate instead of the original customer's website, so it will not work.

The solution or workaround is to use SSL VPN tunnel mode instead.