Protection of API from abuse (signup and carding attacks)

I have a backend (API) and mobile apps.

Mobile apps user same client_id (Oauth2).

Now I see many Bots signing up, adding credit card for checking them (carding)

I cannot throttle, limit them since the IP is always different also client_id for all mobile clients is the same.

What solutions would you propose to stop it?

If there is a way to identify each Mobile client uniquely I can throttle each for 1 request per second or something (to stop …

abuse api apps attacks backend bots card carding carding attacks clients credit credit card cybersecurity limit mobile mobile apps oauth2 protection signing solutions