If you're worried about botnets, Cloudflare's solution won't save you either because normal unmodified browsers can be automated through extensions or remote debugging just fine.
Headless Chromium with some tweaks is already good enough that it's practically impossible to distinguish from regular Chromium, and Google knows it. That's why they were pushing for WEI (even though they were claiming it wouldn't impact browser extensions or debugging protocols). Google knows that environment browser/fingerprinting isn't an effective solution to stop automated requests, because normal user browsers out of the box allow sending automated requests.
Basically the only reason why botters don't already run full browsers is because of computer power, and botnets get around that problem. When attacks aren't limited by IP or compute power, attackers can just run regular browsers and bypass all of these checks. Even that isn't always necessary, a Raspberry Pi 5 is going to be perfectly capable of running a full Chrome instance to send automated requests through.
At least IP rate limits require actual work to circumvent, you need to acquire a botnet or a lot of IPs. Browser capability testing is comparatively easier to get around, you just run a full browser.
