The usual thing is to add a signature: sha256 (data collected in a string + a key known to both parties). And check it, discarding other requests.
For example, my hoster (Timeweb) regularly probes my scripts with its robots, which are accessed externally. From payment systems, for example. Even though there are no references to them anywhere. Either they are looking for bots, or something else. Naturally, it is more expensive to process such requests.

Read how to make the right REST API (for POST and not only).
Briefly: three additional parameters are needed (besides the API request parameters): HASH, RANDOM, TIMESTAMP.
HASH - we form according to TOKEN (we receive it in advance from the server) based on all the data transmitted when requesting the API: API parameters, RANDOM and TIMESTAMP.
We check the signature upon receipt of the request and compare it with HASH: if the signature is equal to HASH, we execute the request.
 
Input data that we want to trust:
1. Domain name of the API client: domain_expected
2. TXT record of the API client domain: TXT_record_expected
Available data (when receiving an API request from the client):
3 API Client IP: IP(1)
When initializing a new session (before generating a new token), you can make 3-4 DNS queries to any public DNS server (before generating a token!):
1. reverse_lookup (API client IP(1) to domain name(1)) => recognized the domain(1).
2. lookup (domain(1) to IP(2) by A-record) => learned IP(2)
3. reverse_lookup (IP(2) to domain name(2)).
4. Optional: you can check for the presence of the desired TXT records (and any others) and compare with the expected ones (the so-called "static public token").
After receiving all the data, check:
If the expression is true, then we issue a token to the client IP that has applied to provide access to this client to start working with our API.

I would encrypt data in transit. The receiver decrypts the contents with a key known to it and either receives the correct data and processes it, or some garbage and scores on it.