You should name it Hawk, so people can call it Hawk-Tui.

I run Emby and MythTV on a Beelink Mini PC. It is a little pricey compared to some of the options you mentioned but not by too much. It works really well and is very quiet:

https://www.amazon.com/Beelink-SER5-5560U-500GB-Computer/dp/B0B3WYVB2D

That makes a lot of sense. Not sure how that would work on Windows where users typically run with admin credentials. Yes, I cannot modify the boot loader, but with admin credentials I can do many malicious things to your traffic in between the browser and the OS, up to and including attaching a debugger to your browser process to see kernel memory.

I know it is possible for Linux to pass secure boot in some cases, so in theory it could be possible for there to attestation on Linux systems, but this suffers from the same flaw as Windows since users have root access.

In the end the only thing this will do is prevent someone from using curl or cli tools to access a site that requires attestation. Will this prevent bots? I am not certain. You could in effect guarantee a 1-1 relationship of users to TPM/Secure Enclaves. This would slow down bot farmers, but not stop them.

Chinese bot farm with 100’s of physical smartphones -> https://youtu.be/aSESD6rm54o

What exactly is the attestation checking? As far as I can tell it is a TPM assertion possibly that you have secure boot enables and that the browser has not been tampered with. Is there anything else? I looked in the Github page but alls that I saw was placeholders. Is this documented somewhere?