Posting this as an answer as I don't have enough rep to comment.

I use a User-Agent Custom Header with a secret string (something like User-Agent:MySecretAgentString). Your Unity Client could add this header to all outgoing API calls, and your Server could filter out those that don't have it.

That being said, as @derHugo pointed out, outgoing packets could still be intercepted and the User-Agent string could be read. I only use the User-Agent to broadly understand where calls are coming from, and respond with platform-appropriate data if necessary. A sturdier solution would be using some sort of authentication token that validates the Client itself.