Android

How to check the validity of authorization of a mobile application (Google Play Game Services) on the backend server side?

Hello!
I apologize for the wording of the question, I could not think of a shorter and more capacious title. I will try to compensate for this shortcoming with a more detailed description.
The essence of my task
I am developing a multiplayer game (a mobile application written in Unity5), and now I have an acute question about saving user data (data on game activity). I immediately refused to use the standard tools offered by Google Play Game Services, since the lack of access to user data is unacceptable, and in case of problems during migration to new versions of the client, I will not be able to help anyone. As a solution, I firmly decided to use my server to store this data.
My implementation idea
The server decided to write on node.js, and given that I am new to designing and developing backend applications, I do not want to take responsibility for providing the full authorization process (registration, authorization process, password recovery and other processes that ensure data security) and I try to avoid this as much as possible.
On the client side, I had no issues, because I use the Google Play Game Services SDK, which allows the application to log in using the device's system account. But on the side of my server, I still don’t have a very clear idea of ​​\u200b\u200bhow I (the client) can convince him that I really am "Vasya Pupkin" and that I really have been authorized by Google.
Scheme of work
I see the authorization scheme on the server in the following form:
- the client logs in using Google Play Game Services, receives data (tokens and other crap);
- does its local business;
- there comes a time when the client needs to read / write data;
- the client forms a request to the server, "signs" it with the data received from Google (tokens and other magical crap);
- the server receives the cast and authorization data;
- the server does some magic operations, and by token, soap and other magic information, it receives confirmation / refutation of authorization from Google services;
- performs further actions according to the algorithm (sends an impostor into the forest or writes / gives information);
Well, actually the question itself
How can I check with Google if the user is authorized and what data is needed for this check?
And yet, taking this opportunity, I would like to know your opinion in general about the scheme itself and its rationality, can someone suggest other options?
Thank you! Especially for those who were able to master all this heap of text!