A checksum / hashing algorithm like you’re suggesting will work well enough.

It’s not foolproof, as you suggest. But it doesn’t need to be. The people who can “crack” the protection mechanism you’re putting in place are the same people who won’t be utilizing your hourly services for support.

All likely scenarios that involve support effort on your part will lead you to discovering the modified code. So I’d say that what you’ve suggested is sufficient. Go for it and give it a try.

Have you considered hosting the frontend on your servers, then accepting uploads from the client? That way you can keep a record of whether or not they’ve customized it by whether or not they’ve submitted an updated version, and you have the file locally to compare if it’s ever in doubt.

Nope, you cannot trust any data the client sends you. It can and will be spoofed.

Spending engineering time adding tests is a tradeoff vs what value you expect to lose from these modifications going undetected.

You should stipulate the modification terms in your license, and that should give you enough ground to act.

Is there a way to check if the source code was altered? Only solution I can think of would be to get check sums of all the files then send it through my API and compare them with the original app. Is there any more secure way to do it so it would be harder for the user to break such protection?

No, you can not trust the code metrics from client. Because, that code might be hacked/modified or spoofed during the transportation. Unless, your clients do not communicate with your API through trusted secure channels, there is no way to validate the authenticity of information.

Basically, you need to come up with securing your channel of communication through certificates or SSL, as well as identification/registration of client applications.