Given a public API which triggers OTP verification to users, is there a way to prevent such an API from abuse/spam?

This API is public and have business reasons so offering on public side. API is developed using Java Spring MVC and has CORS enabled to allow from a specific domain. However this alone may not prevent spam hits.

1. Do I need to protect the API with SessionID? (but sessionId too can be easily grabbed from browser for spam)
2. Is there a fool proof way to detect the incoming requests are originated from a specific domain and are AJAX requests only? This could potentially limit the calls. (scripts are ruled out)
   3. Do I need to use captcha type service?

This (preventing public API spam) appears to be a common scenario. Is there a best practice to weed out the spam calls?