[level3]

That doesn't seem like a big enough hurdle. Card testing is already automated with bots, and this method can be easily defeated with a simple tweak (e.g. use a catch-all address and then automate the link clicking).

I know you wrote that it's just "out-running you, not the bear," but you probably won't be outrunning others for very long.

Edit: I have no problem with measures that could help protect against fraud even just a little, but this one also introduces friction for legitimate customers, so it needs to be sufficiently effective to be worth it.