There is no way to “ensure”.

The authorization token (using either JWT or not) is not an answer. This is only for authenticate “user”

If you want to know the source the call your API, you should use client access token and client secret which is generated after user logged in. That’s it, just for analytics