Hi @joe.a,
Welcome back to the Auth0 Community!
Currently (as of August 2022), Auth0’s attack protection (brute force and suspicious IP) features only kick in on failed login attempts.
I recommend checking this article for more information on how to Enforce Email Verification by Sending the Email Verification after Each Denied Access
This article details how email verification can be implemented to prevent users from going further after registration and from signing in.
Also, I would try to Limit on IP Addresses to the Allowlist of Bot Detection.
Please let me know if this helps and if you have any follow-up questions.
Thanks,
Timotei