Because in the application the total size for data+signature must be well below 1000 bits, we can't use signature schemes with message recovery based on a trapdoor permutation like RSA, which otherwise would fit the goal nicely (see OPSSR).
All other signature schemes I know have asymptotic size overhead at least twice the security level. More precisely, asymptotically, signing requires adding $k\,\lambda$ bits for some $k\ge2$ if the best conjectured attack has cost growing as $2^\lambda$ operations (each of cost growing as a low degree polynomial of the security level $\lambda$). That would be a minimum of 160 or 192-bit signature overhead for $\lambda$ or 80 or 96 (commensurate with the moderate security requirement of software licensing). And even this is hard to achieve.
BLS signature achieves $k=2$ assuming a suitable pairing. But at least for low $\lambda$ it's difficult at best to choose one. Previously proposed Barreto/Naehrig constructs have succumbed at least in theory, and I do not know a replacement candidate (I asked here). On the other hand I have not heard of practical attack even at the formerly deployed 80-bit security level (slides).
This BLS draft IETF proposal considers the BLS12-381 pairing, for 381-bit signature at 128-bit conjectured security level ($k\approx2.98$), and that's used in some applications. This is not fully optimized for size, and other proposals like BW19-P286 and BLS48-286 that target the same security level achieve $k\approx2.24$.
However, my opinion is that dust has not settled on the security of pairings for BLS signature, especially for low $\lambda$ and low $k$. So much that I have no pairing to propose for $\lambda=80$ or $96$. Also, the lower $k$, the slowest the verification, which is antagonist with a standard tradeoff: for any signature scheme we can trim $b$ bit of size at the expense of a verification effort $2^b$ times higher, simply by omitting these $b$ bits from the signature and making the verifier guess them.
Another candidate to consider is the original Schnorr signature (that is with a $\lambda$-bit hash in the signature), which achieves $k=3$; or it's adaptation to an elliptic curve (same $k$, but faster). An advantage is that the signature is randomized, which allows another generic size optimization: we can trim an additional $b'$ bits of size at the expense of a signing effort $2^{b'}$ times higher, simply by omitting these $b'$ bits from the signature and requiring these are a public function (like a hash) of the others. Also Schnorr signature is simpler than BLS, and at least in the elliptic curve variant it's faster, allowing slightly more savings ob $b$ abd $b'$. Choosing secure parameters with any desired $\lambda$ is well understood, even for the elliptic curve variant.
We can reasonably get down to $b+b'$ of 40 or slightly more, thus for 80-bit security a 200-bit signature (growing by $k=3$ bits for each extra desired bit of security). I can detail if needed.
Note: the original Schnorr signature has some undesirable properties. In particular, the signer can generate pairs of messages with the same signature but arbitrary different start with effort $2^{\lambda/2+1}$ hashes. But that's not an issue in the application. And that can be solved without size increase if necessary, as in some protocols or when it causes fear of repudiation.
Post scriptum: in his 2015 Pairings in Cryptography talk, Dan Boneh compares the size of signature schemes with appendix (summary table on Youtube). He mentions that Indistinguishability Obfuscation could achieve $k=1$. So far, we have nothing practical that's theoretically secure. Correspondingly, using obfuscated code for license check is insecure facing knowledgeable and dedicated adversaries; but that's often done in practice, including with much less refinements than in the state of the art (see WhibOx Contests).
