Is it possible to verify that an API call to my server came from my app and was not spoofed with another HTTP request client or similar? I'm using React Native with Node on the back-end, and am using a JWT system for authentication.
Context: certain features are only unlocked for users that the app has detected are at a certain location. The only system I can think of for unlocking these is pretty weak - the front-end sends a request to the server with the user's location, and if the location fits then the features are unlocked. Obviously this request can be spoofed easily, unless I can sign them in a certain way that is unique to the app and is difficult to reverse-engineer.
Any other approaches would be appreciated (e.g. detect the user's location from the IP address that the request was sent from?)