I've run into this issue several times and have never come up with an elegant solution, so I'm hoping that I have just missed it in my hours of Googling.
Situation: I have an AJAX endpoint that submits data. The javascript is hosted/generated on my server (think Google Analytics). I have no way of validating said data, aside from checking that it's a valid email address syntactically. I want to prevent a script from calling the endpoint endlessly.
Attempted solutions / why they won't necessarily work:
Limit calls by IP / Can't always predict the total # of calls over a period of time, especially since IPs can be proxied and/or several people may be behind one IP
Generate tokens / Can literally be viewed in the source and simply scraped up before re-submitting
$_SERVER['HTTP_X_REQUESTED_WITH']
/ Totally spoofable
I'm no security expert, but I know that this is a vulnerability that would easily skew data in an environment where some precision is needed.