Frankly I'm of the opinion that unless you can actually send a deterministic replay to the server that it can replay everything is going to be easily circumvented by decompilation.
Agreed, in practice.
In theory, there are others even more secure solutions.
For example, you could make the client just a video player, then run the ENTIRE GAME on the server, sending the rendered video of the game screen to the client, and sending back inputs to the server.
There are of course less silly variants derived from this thing, including the possibility of having clients verify each other. (While a client is playing, have it re-play a pending highscore entry. If more than, say, 50 clients with different IPs all end up claiming the same score for that entry, allow it.)