Are you planning to send this data back to the server at any point? In that case, the bot can simply change that when it sends the request to the server. Any variable value can be spoofed.

But won't the random variable name still have to show up in the web page's code? And in that case, wouldn't a bot still be able to read it?

Sorry to keep playing the Devil's advocate here, but the problem with using Ajax is that it's still just another HTTP request sent to some url on the server. This request, and any data sent with it, can be forged by a scripted bot.

Here's an idea, you could have a box or two that randomly change position. The positions of these boxes are stored on the server. The user has to click each box, and the mouse coordinates for each click are sent to the server and compared to the stored positions. The code to set the position in the browser could be obfuscated so that bots can't read it.