Only let trusted web clients register new users: how to ship HMAC secret in web frontend

I have a backend REST API with an endpoint /registerwhere user can sign up to register a new account (email + password).

Lately, however, my backend is more and more victim of scrippeted attacks that register a lot of users to, later on, run some spam attacks inside my application.

I thought about preventing this by only let "trusted clients" like my official web app frontend register user via /register endpoint.

To do that Im thinking about adding HMAC checks to /register but I'm not sure how to ship the secret inside my frontend client (react) that is used to sign/compute the HMAC for the /register request.

Is there a way to ship the secret somehow in my react frontend that doesn't make it super easy for hackers to just read the javascript source code in the browser to get the secret?