How to secure my Custom Function Auth Provider that it can only be called from my App with Realm Web SDK?

How can I secure my Custom Function Auth Provider that it will only accept requests only from my Web App with Realm Web SDK?

I have a Custom Function Auth Provider and using Realm Web SDK it can login my users using

const app = new Realm.App({ id: process.env.REALM_APP_ID as string });
app.logIn(Realm.App.Credentials.function({ username, password }))

On my browser I can see on Inspect > Network, I can see it is a POST HTTP Request with URL https://<myAwsRegion>.realm.mongodb.com/api/client/v2.0/app/<MyAppId>/auth/providers/custom-function/login

I can easily use Postman Tool to call this Post Request and get my

{
    "access_token": "",
    "refresh_token": "",
    "user_id": "",
    "device_id": ""
}