I would say that the validation form has nothing to do with domain objects. If the submitted form is invalid, there is usually no reason to create / modify a domain object at all, this is a problem that lies entirely in the presentation layer / user interface. The inclusion of user input validation in domain objects violates the principle of separation of principles.
However, this is a moot point, and there is absolutely no right or wrong way to do this. Because, if you want the domain object to not be in an invalid state (throwing exceptions in the constructor and setters), you can get a duplicate of the code.
But if you use validation on domain objects to validate the form or not, you should prefer exceptions in the isValid state. Objects must always be in an acceptable state, this is one of the main advantages of OOP
Update
When asked where I put the input check: I use specialized request objects for each controller and use them in the controller as follows:
try { $user = $this->request->extractUserFromPost(); } catch (ValidationException $e) { $this->showValidationError($e->getMessage(), $e->getAffectedFields()); }
Methods can also be in the controller itself, but I prefer thin controllers that contain as little of their own logic as possible. Another common method is form objects that control the generation and validation of forms in one place (Example: Zend\Form ). If the request always comes from the form, that makes sense. My example above will work for both the web service and the HTML user interface.