When you said you had 2 fly apps, I’m assuming your front end app has some kind of web server. That’s where you’d proxy to your API endpoint, not directly on the browser
In short: look at what your tools provide in terms of authn/authz. Also, your backend stack’s community might be more able to help - it feels like it’s not a Fly-specific problem.
You can’t really verify that a request to your API comes from a browser running your code. It’s not a Fly problem, or a browser problem - it’s how networked computers work. Anyone can just poke that API by hand, use some handy tool like Postman, or “copy as curl” from browser’s network tab and than play with it.
The best way to secure an API is to use authentication and authorization tools that come with your backend’s framework. You should verify who uses the API (probably by some kind of login and sessions setup), and in your app’s code decide what they can access based on their identity.
If you can’t put authentication at your current API’s level (for example if it’s some 3rd party product), then @khuezy’s suggestion to run a little fronted-specific proxy might help. But it all depends on what you are doing, why, and with what tools
To summarize for the moment I have set up a proxy at the level of my frontend application (which is public). The proxy redirects requests to my backend which is also public.