John,
This can go in the index.php file in the main root directory for Moodle and/or in the ./login/index.php file, especially if you have the site set to Force login.
When arriving Moodle always sets a session cookie. Normally, (ie under
GDPR
you should let it set this and then include mention of it in Cookiebot as a necessary cookie, since it is.
Now, as an alternative, you could put it in the page header: you do that in Site admin > Appearance > Additional HTML, but of course, then it loads on every page, not just at the login. However, you if were doing something like adding analytics or other links eg marketing or advertising here into the header, then you might want to put it here and then script them together, so if consent for any of those is denied, you don't load it on the page.
So which method works better will depend to some extent on which scripts and cookies you are using which require consent: Cookiebot should go before wherever you are loading those. In any case, you are responsible for the logic of setting or not setting the various (non-necessary) cookies accordingly based on the Cookie bot responses.
One more thing: if you are using Cookiebot and will also be using the Policies tool in Moodle itself to collect consents to policies, you will want to disable the forced cookie notice Moodle puts if you have policies - whether such policies have anything to do at all with cookies or not (which is not only unnecessary, but potentially a GDPR violation) but that's how it works. I figured out how to work around that here:
https://moodle.org/mod/forum/discuss.php?d=373764#p1506896
