ARTICLE AD BOX
Practically no, attackers cannot spam Apple/Google Api calls (cannot send request to Apple/Google servers directly). Because attestation token is only generated if your app is signed up and running on real device. They cannot generate token using bots, fake apps or any script.
But attackers can spam your backend depends on actual control logic of your backend. So as long as your backend has enforces proper rate limiting on nonce/endpoints, perform strict server side verification this kind of spam can be avoided.
![Creating an Android app that makes a phone work like a gamepad using ADB [closed]](https://stackoverflow.com/Content/Sites/stackoverflow/Img/apple-touch-icon@2.png?v=0f0cab681579)