I had a similar problem How to limit the use of my desktop application (.exe) only to those who are registered on my site (what does it look like approximately?)?
The meaning is: everything that you write in c# || vb can be viewed (one way or another). Those. if authentication goes inside the application, then a more or less competent specialist will see through CIL what is being compared with what. Obusfaction - will remove idlers and students. So far (for myself personally) I have decided this: whoever uses my application must enter a login and password, after which (using any encryption principle) it is sent to my site, where it is compared with the login / password from the database. If gud, then by callback I pass directly the file that is "working" (exe, dll). More precisely, a link to download it. The application connects it through reflection. Before closing, the file (exe, dll) is deleted. More competently is to use API. Those. you have created an application in WPF - in which there is no information - only buttons, methods, classes, properties, etc. Your application (after authentication) backtracks in JSON or XML format with data that is directly inserted into your WPF. And this is probably the most correct option - to do everything through the API. All checks / additions / deletions in the database - only through the php of your site. In the program itself - no passwords and other things.
from words to deeds: https://tomnolane.ru actually this is it
ps registration done through the website

Well, for example, there is an application and there is a database, you can combine authorization in the application together with authorization in the database, even modifying the code will not help here. If you look towards WebAPI, then look for ASP.Net Bearer token autorization.