There is a slight misunderstanding here such question. There are separate frontend and backend application. Communication between them is built on the tokens. But tokens are only used to protect private routes. User enters login/password and sends it to the backend, the backend checks if everything is OK, it issues access and refresh tokens. Here everything is clear.
How to protect public routes backend? Or not protecting them? I mean, for example, I have a public route, /api/items at which the frontend gets a list of something. And I want only a particular frontend have access to it, and not any other, not to spars the entire list of my items, cURL, for example.
Is there to bother or is it paranoia?