Assuming the spam is via a bot, how exactly does it find my form on site?

It spiders your site via HTTP and parses the HTML returned, looking for suspicious-looking form tags.</>

And the data I'm getting is much longer than the field size limits on web page, so they either are using their own variant of my page (which I'd need to try and block) or what?

All a form tag implies is that connecting via HTTP to the URI in the action attribute produces some action, and that it may or may not do anything with the form parameters submitted. If you can construct an HTTP request by yourself, you don't need the form.

That's how forum spammers and web services work.