Not just tracking cookies, but browser fingerprinting.
Not just Google, but now Cloudflare.
What will be effective depends on the nature of the site and that of the bots causing trouble. For example, a forum can limit posting privileges until an account builds a reputation, a paid goods/services site can restrict access until a purchase is made, a web service can use revocable credentials, and a data download site can use rate limits. (That last one is actually useful in a variety of situations, and can be done at the network level instead of or in addition to the application level.)
There is no silver bullet, but there are lots of small measures that can be very effective when applied thoughtfully, without turning a site into a frustrating-to-use surveillance tool for Google at the expense of the humans who want to or have to use it.
Even a small, locally hosted, activate-only-once, simple image or text-based CAPTCHA would be preferable to the ones operated by third parties.
So all I need to do to bot your sites is to farm accounts? Easy enough, people do that on Instagram at huge scales.
Good luck. You’ll find that your farmed accounts can’t do much of anything, and will be quickly and automatically deleted.
Thank you for the thorough reply!