cryptography – Transformation Schnorr Fiat Shamir

In the Schnorr identity protocol, we can transform the interactive ZKP into a non-interactive by replacing the role of the verifier (that is, by providing a random challenge value) with a hash function using the encrypted nuncio of the input prover.

s = r + e * x

or:
e = H (r * G)

Validation works by ensuring:

SG == R + e * P

or:
R = r * G

Suppose that in this non-interactive model, the prover chooses a r value in advance, and short R through the hash function to determine its correspondence e digest. Suppose the prover is malicious and tries to get the verifier to accept a Schnorr signature without knowing the private key X. If the prover denies this e value when building the signature, while selecting an arbitrary value s value, they could go back sG = rG-eP. As the prover knows R, e and P, it seems that they could convince an auditor that the signature is valid, without needing to know the private key. What prevents that from happening?