There's not much you can "do" purely server-side that isn't easily bypassed by bots. That's how the arms race kicked off.

websites rate limit IPs -> bot developers start using proxies

websites block datacenter proxies -> bots use residential proxies

websites add captchas -> bots start solving them

websites inspect nuanced details of TLS fingerprints and header ordering -> bots start faking them

websites add browser fingerprinting -> bots reverse engineer it and start faking it

And so on. One thing these websites could do is place a lower limit on the total checkout time. Anyone who completes their checkout in less than 2-15 seconds (depending on the website) is quite obviously a bot.

Which they never do and even if they did they would get botted in using more volume. Only viable method I knew was sms verification, but that didn’t seem to be implemented correctly by anyone.