Could you not do a domain check of some kind in the JS payload and just document.write the entire thing with a bigass notice if it's not on your blessed domain?
You'd have to move the domain check in syntax and placement I guess, in an annoying game of cat and mouse... but it'd be something I suppose? Probably not worth it if it's not a large enough return.
That is trivial to remove via proxying, which author mentioned them doing.
Really, anything you add to the page can be just removed that way. Only thing you can try is to somehow differentiate attacker traffic from normal users but with ubiquity of VPN providers good luck
Adding this HTTP header makes your site not work if embedded.