I understand correctly that you have a pluggable widget from which any user WITHOUT authorization can post data to your backend and you are wondering how to make it so that only from those places where the widget is connected can be posted, and from others No?
If I understand correctly, then maybe you should think about some kind of whitelist list of allowed resources from which you can post?
It would also be possible to probably request a csrf token from the backend when generating the widget itself and validate it when submitting it. But then who will prevent a third-party "intruder" from asking the backend for this token in the same way?
PS well, and accordingly, somehow the widget itself would be nice to authorize. You can see this in some pluggable comment widget like disqus. You register in the system and, among other things, you are given the details that are necessary to connect the script. Thus, the discus always understands that valid comments are coming from your site, which you have registered in the system, with your details that this system has given you.

Maybe it's worth giving your widget through an iframe and generating a one-time key for validation after the completed fingerprint?
this of course will not save from everything, but CURL lovers will go to smoke.