I think Private Access Token is a reasonable design, and it should be standardized with multiple attestation providers that any client can use. That seems like it would move the web forward, unlike simply not making headway on the problem of spam and fingerprinting/tracking as an anti-spam measure at all.