In the bot detection methods I've seen so far on this, a large part of it is timing analyses where there is a significant difference between headed and headless, e.g. graphical operations, audio processing.

That, or making sure that mouse really moved somewhere (in a sensible way) before the click occured.

This would have false positives for some accessibility software, I believe

True, that's why you don't want to block the pageload on this signal alone, just use it to trigger a captcha.

It's pretty awful to make people who need accessibility software go through more captchas. Those are an accessibility nightmare.

Or even non-disabled people who typically browse using the keyboard only. Please stop sending users who you find inconvenient to captchas!

With Privacy Pass they won't see more captchas, they will actually see fewer of them.

That could be circumvented rather easily I guess, by using a non-headless (head-having? head-full? headed?) browser instead. And perhaps adding some random human-seeming delay in interactions.

Headed browser.

And maybe, but that will make enduser suffer more (as always), as more false-positives will be caught.