When you receive a request to your website (or any service), that request comes from an IP address. There are databases that can tell you what country an IP address is from. It's not perfect, but it works well enough 99.99% of the time. Then, if the country is blacklisted, you do not allow access.
Those bots would be really naive not to use curl-impersonate. I basically use it for any request I make even if I don’t expect to be blocked because why wouldn’t I.
What others have been doing thus far has not been helping either. The problem just gets worse every passing day. How many have to be killed using American money until this problem is eradicated?