Fundamentally, if someone puts in enough #effort, there is no server-side way to #detect a #difference between their traffic and any "legitimate" #API#client.
25 years ago I was writing scraping software (not nefariously...) that sent plausible referer: headers, paused appropriately between requests, operated from a widespread set of machines, etc.
The techniques have only gotten better and more widespread since, and it's even easier to apply them to an API.