[HTTP_ACCEPT] => */*- no browser puts such headers, so you can filter by them.
But I think the simplest and most reliable way would be such a recaptcha in the registration form and where the bots are raging:
https://www.google.com/recaptcha/intro/index.html
You can also add a hidden input to the registration form and write there using javascript value and if the sent value does not correspond to what it should be, then it means that the bot has registered - bots usually do not execute javascript. A kind of javascript captcha - quite reliable in my experience (more reliable than captcha where you need to recognize the text).
Simple example:
form

<form .....>
<input id="login_tt" type="hidden" name = "login_tt"> // Сюда будем записывать секретное значение через js
</form>
<script>
$("#login_tt").val("my secret value") // само значение которое будем проверять на сервере
</script>

<?php
     if( $_POST["login_tt"] != "my secret value"){
      exit(0);
    }

*/* in Accept: most often occurs when accessing the browser through a proxy, and in some cases - when refreshing the page in the browser. That is, there is a chance to kill a certain number of legal clients. Better put a captcha on registration.
PS Pragma: no-cache is also set when requesting through a proxy.

any cURL without settings will give this, I’m not talking about the same python http clients at all

If the user is not intentionally trying to be anonymous, cookies will work. When you see a suspicious header (or some other characteristic feature/activity), you can act like Yandex: offer to enter a captcha.

Maybe it's stupid search engine bots?