On top of that, I’m not really seeing a method of actually keeping the token out of a bot’s hands. It sounds like once the token is granted it’s carte blanche to scrape or commit fraud.

I don’t think there is really any easy solution for this problem either. It’s a never ending cat and mouse game trying to stop bots, similar to malware.