The code is actually in a shared PHP file as the contact form is on numerous pages on the site. However I hadn't realised referrers could be blocked so that's the more likely explanation. I've started blocking the offending IPs at server level and may also revert to a standard captcha as I'm currently using Google's reCaptcha v3 (the non-challenge type) which I honestly don't think does any good at all!
Thanks Ray.