cookie could be faked but so can headers, and the way I have it now the cookie is only good for the session, bots and scrapers start a new session every time
The sessionID is in the cookie yes, but the info can be in the session. If a bad bot starts a new session, well it will not have the "OK" in the session.
Accept headers can be faked but that would make less sense as it breaks content negotiation, and you can use it as ONE aspect of other bot indicators.
, but my understanding of how friendica and activitypub are setup the inbox should not be callable by bots and scrapers
For server to server protocol an instance will act like a "legitim bot", it will not pass a captcha or session check, validation of the request is done via signatures.