No one likes spam bot form submissions but they are a reality of putting your business online. There's no golden fix to this problem so regardless of what methods you try be very aware that you won't stop them all. Bots get smarter along with the detection / protection methods.
(This ramble is a post in writing, so expect changes and additions to be made.)
When merchants try and add captchas to storefronts the common approach is to use some form of JavaScript solution - whether it be some form of simple math solving or more complex drag and drop unlock process.
The problem with JavaScript solutions is that they won't make a major impact to serious bots.
Don't make the assumption that bots fill out your form like a normal human does. In many cases the bot doesn't even use a browser or at least doesn't directly type in the fields. Those bots will not be trapped by JavaScript solutions or HTML5 required tags, or whatever front end coolness you've cooked up.
The bots that do use JavaScript are also very unlikely to be slowed down by some simple math / logic question either. It's not hard for bot code to simply read the question "what is 2 plus 2" and know that it needs to add "4" as the answer.
For many hosted platform - Shopify included - a true captcha system would need support on the server side. Shopify has started to add captchas into some sections of the site and I'd love to see that scope widened to include any form entry page.
Should I add a captcha?
My advice - don't bother unless you are really getting slammed by spam. In that case stopping a few percent could actually equal a lot of processing time on your end. If you're only seeing a few submissions per week this is nothing to lose sleep over. Seriously.
If you think I am crazy for saying that - you could be right. Just weigh up the pros and cons yourself and make a call either way. You must realise that adding a captcha is going to hurt conversion to some degree since it interrupts the flow. What's worth more - the conversion, or the lack of annoyance for you managing the spam? There's no right answer here so go with your gut.
If not a captcha, what?
I do like how Mailchimp adds some basic low level detection in their forms. They purposefully add a field that is not seen, but can be found easily by a bot. If a bot fills out the field you can be confident that whatever filled it out is a bot, and just purge the data. Whilst not stopping the spam, being able to detect it faster will help when you're doing any cleanup. Until then, hope that a more bulletproof, server side solution is added on whatever hosted platform you're using.
I'd likely opt for something that uses the technique above along with code that adds the form HTML with JavaScript. By that I mean that zero form code would exist on the page if JavaScript is disabled. When JavaScript is enabled it's the JS that creates the form element. This hides the form code for any bot that harvests that info from the HTML source. For bots that do support JavaScript, that extra field should help identify the fakers faster.
For Shopify this can work pretty well but keep in mind the form endpoints will always exist. So form or no form you can still post data and have it process server side.
Do you have some sweet code examples?
Nope, but I'd be interested in hearing what examples you want to see.