It is not hard, carriers are lazy. These are massive companies with deep pockets and no motivation to tackle a problem that doesn't directly impact their bottom lines.
Just keep a registry of every organization that you've given permission to to fake phone numbers, and which phone numbers they're allowed to fake. Make them route those calls through a special system and give them a secret token that that system will verify. Centralize your client/token/virtual phone number registry across all carriers (it's no different from certificate-authorities). If one of the accounts starts sending spam calls, revoke their token. Done.
>Make them route those calls through a special system and give them a secret token that that system will verify
STIR/SHAKEN is handling this at the provider level. There are an awful lot of PBX installations out there, with hundreds of makes and models and service lives in decades. You are absolutely not getting every business with a trunk line (e.g. essentially every business with more than one telephone) to participate in a protocol change.
Have their system type out the secret token in dial tones before each call that has a fake number. Any phone could do that. They have to already be doing something special to tell it which fake phone number to use. This can't be a more strenuous ask than that is.
It’s not the complexity of the change, it’s the number and diversity and distributed ownership of machines that would have to be updated and configured (if still supported; many are past vendor EOL and would need outright replacement).
Just keep a registry of every organization that you've given permission to to fake phone numbers, and which phone numbers they're allowed to fake. Make them route those calls through a special system and give them a secret token that that system will verify. Centralize your client/token/virtual phone number registry across all carriers (it's no different from certificate-authorities). If one of the accounts starts sending spam calls, revoke their token. Done.