> I was thinking about adding a user-agent validation as well which could add another layer.
Presumably this service exists because bots try to avoid detection. I don't think UA validation would really help much and there are plenty of libraries already that do this.
I didn't have issues per se with bots, but people trying to hide their location (think Nigerian user using a US-based VPN).
My trick was to get the device's timezone (which you don't need privacy permissions for on web or mobile). If it didn't match up with the ip address's country (or was in a banned country), then the account was banned.
