@gibbsdesign Have you looked in the logs? The spammers hitting the send-magic-link endpoint on my site always use a python user agent, which can be blocked using Cloudflare WAF or an Nginx reverse proxy (I have done both).
For me, Cloudflare bot fight mode wasn’t effective, and they were coming from multiple IPs in multiple countries so a geoblock wouldn’t have been adaquate either.