I know it's frowned upon here, but there are commercial and open source[1] javascript obfuscators with domain locking functionalities. If your site is already a SPA, they can make it very painful to just lift it (not impossible, obviously, because everything is reverse-engineerable, but the point is to discourage the majority of thiefs). You can be creative: for example, if whoever cloned your site is located in China, you can redirect users to prohibited content if you catch them running your javascript on the wrong domain. If your site calls APIs, you can call them in the wrong way on purpose to get the cloned site banned. You can also triggers those side effects randomly in order to make it more frustrating and untenable to serve your cloned site. This obviously presupposes you're doing all the rendering from the client side.
Also, compiling part of your business / checking logic to various Web Assembly modules might make it even more difficult for the thieves to reverse engineer. Of course this would mean more maintenance on your side as well, so you need to choose a reasonable ratio of maintaining complexity vs. fucking with them.
[1] https://obfuscator.io/