Turnstile siteverify endpoint ddos protection

Looking at the turnstile design (https://developers.cloudflare.com/turnstile/), I understand that I’ll need to host a server(-less) backend-function (e.g. via a cloudflare-worker) to check the JS-client-generated tokens by calling cloudflares Siteverify-API. While this makes sense, it means that someone could flood my verify-endpoint with requests using invalid/replayed tokens in order to run up my bill or take down my backend. Assuming I used a cloudflare-worker to do siteverify, is there anything I can do to prevent this from happening ?