We have been receiving more and more complaints of merchants seeing their cart crash due to 429 errors, not only on the /cart/add.js and other mutation endpoints, but on the /cart.js endpoint as well.
The issue is particularly visible when connecting through a VPN (I have used NordVPN P2P connection to US servers) and opening the store in an incognito window. After a couple minutes of normal usage, the Cart API start returning 429 for all its endpoints with the CloudFlare bot challenge and the message Your connection needs to be verified before you can proceed.
225f80cd-fc9f-4dd7-8ad1-49f6ceaf57d0-1769608128 this is an example of the last request id for a /cart/add.js request before CloudFlare started blocking all subsequent requests. This does not seem to affect the storefront API.