Yes, Hotjar's Heatmaps will report both clicks and mouse movements which happen within same-origin iframes, relative to the iframe element, not the page inside.
When it comes to cross-origin iframes, like a YouTube video, Hotjar will only report clicks shown centered on the iframe element.
Only add the Tracking Code to the iframe to properly collect data
Make sure the Tracking Code is removed from the parent page. Due to current technological limitations, having the Hotjar Tracking Code on both the parent page and the iframe can cause Heatmaps of the page to fail and data collection to be skewed.
What is the difference between same-origin and cross-origin?
Same-origin means that the page loaded within the iframe is loaded from the same exact protocol and domain as the parent window.
Cross-origin policy applies when the page loaded within an iframe DOES NOT match the exact protocol and domain as the parent window.
To create a Heatmap for a page within an iframe
Install the tracking code on the source page of the iframe.
Start creating a new Heatmap.
Target the iframe URL in the page targeting section.
This is the URL of iframe page itself, not the page the iframe element is present on.
Save by clicking Create Heatmap.