Yes, Hotjar's Heatmaps will report both clicks and mouse movements which happen within same-origin iframes, relative to the iframe element, not the page inside.
Only add the Tracking Code to the iframe to properly collect data
Make sure the Tracking Code is removed from the parent page. Due to current technological limitations, having the Hotjar Tracking Code on both the parent page and the iframe can cause Heatmaps of the page to fail and data collection to be skewed.
What does same-origin mean?
Same-origin means that the page loaded within the iframe is loaded from the same exact protocol and domain as the parent window.
How to Create a Heatmap for a Page within an iframe
Install the tracking code on the source page of the iframe.
Start creating a new Heatmap.
Target the iframe URL in the page targeting section.
This is the URL of iframe page itself, not the page the iframe element is present on.
Save by clicking Create Heatmap.