Even if you check payment using auth server there is no 100% guarantee, that somebody hack application itself (change code of app to skip check or something similar). But of course it requires more work for hacker, because GP fake payments on rooted device require no additional work at all
But you of course can add some additional protection, for example prevent app to run on rooted devices or some other similar tricks to detect that user want to hack you.
Also maybe Google Play Licensing could help
https://developer.android.com/google/play/licensing/index.html