API

How to protect the API from being used by third parties?

I wrote an authorization server on Node, which purely performs this function for several front-end applications at the same time (JWT). A simplified version of the REST API is used, a standard NodeJS set: express, mongoose, jsonwebtoken, nodemailer, etc. I know that various third-party services are now popular, such as Auth0, various serverless, GraphQL, Firebase, etc., but it was interesting to do it myself on the express train, so to speak, and at the same time I have various auxiliary services there, such as loading, processing, trimming images, like a CDN, and from there I also send JSON content to my CMS and front-end applications.
In general, the question is that the routehttp://api.example.com/signup, for example, is available for direct access in the browser, although I only tried a GET request, but naturally it also works in POSTMAN POST. I did CORS, but it only protects against consuming APIs directly from other domains. Those. a foreign domain cannot load my API directly, but what prevents a webmaster from making a server application that will be an intermediary and first request my API (and the request will pass, because the request does not fall under CORS), and then give it to his client?