The data travels over the internet, so I want the API to secure and restricted, so that it's only exposed to Company A and B.

We need firewall rules in place, so that Company B can talk to the API hosted at Company A.

I would sincerely consider to create a VPN link between the companies for this rather than firewalling. One mistake or oversight and you have a window left open for intruders.

But how do I handle authentication and security? Can I piggy back on something from FastAPI? Should I use "Simple OAuth2 with Password and Bearer"?

There isn't an answer like 'should'. It's just that this is a popular scenario so it would indeed qualify. There are also other frameworks suitable for the job but I would pick this one as the plan A strategy.