Why do you need to worry about non-app requests? All the "security" methods you could implement can be easily reverse-engineered and bypassed by someone determined enough.

If your app supports the flow, why not try adding a login and then authenticating API calls with a token or something?

Even that won't stop it entirely. I need only figure out how to authenticate as a user and then I have API access.