In my opinion, you need to make the web client do some work, for example, set a cookie and see that it has presented it, using client-side javascript, perform simple calculations, but not predictable calculations that it should present.
Brute-force probably goes in relation to a specific account, you can increase the response time for each unsuccessful attempt in order to drastically reduce the rate of enumeration.
It is possible to start showing CAPTCHA in case such problems are detected.
It is possible to block an account in case of N unsuccessful attempts in a period of time.
Take as an example the logic of PIN codes of bank cards - 3 unsuccessful attempts - blocking the card. Therefore, even a very simple 4-digit PIN code becomes an unselectable brute force.
There are various practices for the approximate deanonymization of the web client, which will allow you to establish that the same web client is coming from different addresses.

You can limit the flow of requests using nginx.
https://www.geekytuts.net/shell-tricks/wordpress-b...
https://medium.com/@bhagyak.ksr/traffic-shaping-wi...
https://www.nginx.com /blog/rate-limiting-nginx/
It may even be possible to take into account the frequency of the 403 error code in a period of time per given path from one client.