A simple captcha with distorted characters + some hidden form fields would stop every single "opportunistic" bot.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
I rotate structures every request I made it explicitely hard to automate and I just raise the PoW during attacks. It's always about reducing volume rather than preventing it and a million registrations later it's still holding strong.
bots get pruned after an hour since 100% of the bots fall into the same trap, giving it a delay makes A/B testing really difficult and breaks most AI strategies.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.