For a ticket platform like pretix that can be run self-hosted alongside the main site, this should give you enough signals to discriminate between normal users and bots, unless they are specifically targeting that site, or am I mistaken? Even just pure web server access logs may be sufficient on smaller sites so this might work even without JS?