Please remember: the client is in the hands of the enemy. Always. There are no exceptions. Any protection can be only on the server, on the client - only visibility.

Encrypt the content being served via RSA between the server and the application. (SSL/non-SSL - we don't consider this now!)
2. Use payment data when encrypting data on the server.
3. Change the key on each request based on the current session's packet number, time, random number, etc.
4. Give content in portions with different encryption - prefetch/segmentation.
5. Update the internal encryption protocol at least once every 1-2 months.
There is no 100% protection on the client that would not allow content to be saved.
For that - it is possible to complicate it to unrealistic labor costs.

But is protection by purchase ID not enough?
curl will not be able to pull out more than what was bought.
If you don’t want the purchased items to be pulled out somehow, except in the app itself, try inserting once-tokens, the generation of which will only be known to your app.
This will make it so that all requests are valid only once.
Of course, there is a case when the request does not reach the server, and then it is executed by curl, but this is already from the category of paranoia.
The complexity of protection should be commensurate with the value of the protected content.

Give the client a token - a meaningless guid, let the API present it, get the next portion of content, change the token after a period of N (minute, hour, day, week).

There is only one way here - to screen requests through your own server, from where you can send requests to the paid API
Mobile application -> your own server -> paid API