Keep in mind that there’s no silver bullet as long as the user controls the computer that runs the app. All of the techniques below can be bypassed with enough reverse engineering experience and time. Think twice before applying such techniques: a fair chance that it’s just waste of time and you should spend time hardening your API checks to prevent cheating instead.
Typically you would do something like certificate pinning. If you have a very tough obfuscation for your app, then you may also try TLS client cert.