Computer networks

How to protect sms mailing from bruteforce?

Greetings.
The site has a registration page with a mob input field. numbers. It is important for the project that the specified number be real and serviceable, therefore, it was decided to add verification using a code sent by SMS.
Problem:
SMS are paid, and I really don't want someone unscrupulous to take advantage of this to draw down the project budget. The main difficulty is how to protect yourself from a targeted attack by IT-savvy people?
It is clear that strong protection under these conditions is almost impossible to implement, since the trigger is not a service, but a request from the client. In this case, you can only get by with restrictions built on elaborate schemes. But maybe there is some other option. Still, such a check is popular on a number of services.
Options were considered:
1. Limiting the number of messages per number is not effective enough: requests can be sent to different numbers, even if we take into account that the procedure for filling in reg. forms are long enough. This process can be automated.
2. Limiting the number of messages per ip address is also not effective: not only can dozens of clients sit on the same ip subnet (I could be wrong) , but no one has canceled anonymizers either.
3. Limit the number of messages per day/hour - ordinary users may suffer and the service will not receive customers.
In a word, the question boils down to this:
Is there any scheme (albeit complex) that allows isolating unwanted requests from the general flow with a probability of > 90% and warming up for several dozen requests?