Agree on the first part, but for the second... I think it depends on what your threat model is.
If you want to stop a dedicated attacker ready to spend time to attack your site, it won't work, but nothing will. If you want to stop a generic bot going over the internet and submitting all forms it finds with spam, this will work, and might even work better than wide-spread solution for which the bot has a countermeasure.
It has the advantage of being novel for the user rather than doing the same Google/Cloudflare/... CAPTCHA for the 10th time that day.
If you want to stop a dedicated attacker ready to spend time to attack your site, it won't work, but nothing will. If you want to stop a generic bot going over the internet and submitting all forms it finds with spam, this will work, and might even work better than wide-spread solution for which the bot has a countermeasure.
It has the advantage of being novel for the user rather than doing the same Google/Cloudflare/... CAPTCHA for the 10th time that day.