Ya you could definitely do this way too. There is a standard that google came up with called private state tokens that would allow you to do this in a pretty clean way, if you were cool with using your governments portal.

Essentially you would login to the govt portal, they would issue you some limited set of tokens (let’s say 5) that would expire after 30 days. You would go to an age restricted website and sign up and that would “burn” a token.

You could use ZK on top of this to make sure that the same email address or some other “nullifier” piece of information was used, to prevent an 18 yo kid from selling their tokens to 17 yos.