I had this problem as well, and it turns out that if you are running Apache 2.4, the “Order” directive has been phased out in favour of a different way of specifying allow/deny.*
Here’s what works for me, using Apache 2.4:
<Directory "/var/www/mysite.com/wp-content/uploads/wpcf7_captcha" >
Require all denied
<FilesMatch "^[0-9A-Za-z]+\.(jpeg|gif|png)$">
Require all granted
</FilesMatch>
</Directory>
I put that in the per-site .conf file in /etc, and then commented out everything in the .htaccess file in /var/www/mysite.com/wp-content/uploads/wpcf7_captcha. If you’re in a shared hosting environment, YMMV.
(* If you want to read up on the details of the change in Apache 2.4, here’s a link. Look under “Access Control”.)
