Somewhat related to #2, maybe a different direction to think about.

Would it be worth integrating some form of SSO (e.g. OAuth2) in addition to/instead of direct registrations? Besides the obvious benefit of "allowing an easier way to integrate with an existing stack", could also solve the issue of limiting registration by just making who can register be a different platform's problem -- for generic SSO, would be reasonable enough to just assume anyone who's in the SSO system could access; for specific SSO options (e.g. GitHub), could have options for limiting to users who are members of certain orgs or whatnot.

Something like Passport.js could be used to accomplish most of this