It depends on how the bots are creating the accounts.
The simplest way would be to add a captcha (correctly implemented) to the sign-up form, the problem with this approach is that users hate captchas and you will likely risk loosing valuable new users. Now many websites do this, so how many users you would really loose is debatable.

Other mitigation tactics depend on the sign-up process. Do you require users to confirm via email or sms link/code?

If the bots are simply sending requests to your sign-up form end-point Then implementing something like csrf protection could prevent that. It would force the bot to request the form and submit it from the page. This would then allow you to block IP addresses or rate limit the bots as needed.
[owasp.org...]

Side note: You may already have CSRF protection implemented for signed in users, but since sign-up is done by anonymous users your CSRF protection may not be triggered, as the vulnerability applies to logged in users.

When I was using phpBB in the past, the bots targeted the signup scripts directly. Normal users first visit another page and then decide to sign up. You should add some code to the signup process to see if the same visitor recently loaded other pages. If not, it is likely a bot. This stops the bulk of automated signup attempts in their tracks. I went from hundreds per day to a few per week. I currently use this approach on a forum run with other software than phpBB. It still works in 2021. Bots became better in bypassing captchas and smart questions but not in determining the functionality of fully server side working heuristic detection methods.

This kind of behavioral analysis is not annoying for humans. I always prefer a bot-stopping tactic where the bot needs to prove they are a human, instead of humans needing to prove they are not a bot.