Is there any capability in signalR to prevent malicious users from calling server functions frequently, by changing client side scripts.
for example, restriction for functions: three calls per second from a user?
SignalR does not have anything like that out of the box, you would have to implement your throttling logic in your code.
If you then configure CORS properly, normal (*) malicious users should not be able to modify your script or access your hubs from unauthorized domains, so these 2 things together should allow you to reach your goal. But you have to implement it yourself.
(*) super hackers might be able to find a way if they really want to.