So, because the nonce is created client-side, the client can just pre-compute as many valid hashes as they need.

Also, it's non-deterministic right? So you could potentially have someone waiting years for the hash to be solved?

Looks like you're essentially trying to rate-limit submissions. I think a signed timestamp would achieve this without wasting any cpu cycles, and wouldn't require any javascript.

This also protects against users that have mobile phones and older systems.

Also, the hashes are valid for 24 hours. Bots only need to pay the cost once per day.