We didn't ban bots to start with - that was not the real action - we required login - which mandated blocking the bots or suffer the wrath of a totally abused login page. I would rather throw up a road block, than set here and let a bot crash into the 404 or login page because we required login and cookie support.
Presumably login/cookie access can be disabled by IP address therefore 1) Cloak the robots.txt file allowing approved bots in. 2) Let the approved bots in without login/cookie requirements.
I've never heard of anyone cloaking the robots.txt file, but I can see no technical difficulty.