I plan to have a form with JS onsubmit to do the verification. If successful, the validation will submit the form or reject it with an error message.
I don‘t know where to put the PHP because all the others are in Elements. I don‘t use a child theme but have all done with Elements. Can I use an Element that holds the PHP script (execute PHP) to serve as the validation endpoint? If not, what would be the preferred solution?
So, after many backs and forth, I finally found a way to implement hCaptcha invisible to my forms. I did not use Elements for it, but the suggested Snippets plugin, which I already had. The trick is to create a shortcode that first renders a form and second validates the input server-side via PHP. That works great for the visible captchas.
However, the invisible hCaptcha has some disadvantages (and I guess the same is true for invisible reCaptcha) that causes me to abandon the idea. It would either validate before any fields are being validated or would pop up even if the user does not want to fill in the form. The only options that would work are reCaptcha V3 and BotStop from hCaptcha. The former is not legally usable in the EU, and the latter is not free.
I will use the honeypot method for the time being, although bots become smarter and smell those pots more often than I’d like.