Short answer is that you can’t. As long as the form is accessible, any method you use to secure the form can be tackled in an automated way. You should never count on data sent by the user to be secure. However, there are a few things you can do to make things more challenging for anyone wanting to spoof your form.

• Add a CAPTCHA which will probably filter out nearly all scripted submission, but also have the greatest negative impact on regular users.
• Employ some form of CSRF protection (which you should have anyway). This will mean that anyone wanting to submit data via the form must request the form first. If this form is only accessible behind a login wall, this will make things quite challenging.
• If you already require your users to have Javascript, try using JS when setting up a key for CSRF protection. This means that the JS must be parsed or executed in order to submit a valid form.
• Filter common user agents such as cURL and wget.
• Check that the form was sent via POST and not GET.
• Add rate limiting on the server to throttle submissions to a reasonable level.
• Check the HTTP referrer. Easily faked, but one more hoop to jump through.

Ultimately, if someone wants to submit data to your form through some other means, it’s still ALWAYS possible. The above steps can make it more challenging, but any action that can be taken by the user can always be scripted, so make sure to have appropriate validation on the server side.