And what will prevent a hacker from learning the encryption method and encrypting his request?
Everything that the client sends must be checked on the server, including the conditions for the admissibility of the request.

Communicate with the server using a self-written binary protocol by wrapping the whole thing in a websocket

Make a system of tokens tied to a specific client. The simplest solution to request validation in 5 minutes:
1) Come up with a secret word
2) Hash it and the request from the client:

$keyword = 'шифровочка';
$q = '123';
$hash = md5($keyword.$q); //089580e98caf60967d356e5cc3b32046

3) Send a request: https://example.com/api/test?q=123&hash=089580e98c...
4) Check it on the server for the same word and if everything is OK, skip
This is all very rough, there are a lot of ready-made solutions and algorithms. You can see an example of OAuth.

The client is in the hands of the enemy.
You can't do anything about it. All that remains for you is to monitor the state on the server side and check there whether the conditions are met. On the client side, all these checks can be considered validation for the convenience of the user - nothing more.
No encryption will help you (this does not mean that the API should work over open HTTP, of course).