On my test the Tor browser blocked this call here:
with
Blocked https://try.discourse.org/ from extracting canvas data because no user input was detected.
which is obviously a lie, since the File Picker is user input.
That was detect by our failsafe mechanism:
Resize failed: Image corrupted during resize. Falling back to the original for encode
Which prompts Discourse to only re-encode the file, which appears to be successful, but then fails with a 422 when finishing the multi-part upload…
Tor Browser should block the canvas creation API instead of silently corrupting return values 
Anyway, looks like users can disable the silently failure of canvas operations by toggling privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts on about:config which will allow users to see this prompt:
I just tested and that fixes the upload.