It's a good idea to have cors restriction for this but you should not rely solely on a cors restriction. A cors restriction does not prevent a call to your endpoint, but only prevents the response of the call from being read.

Cors restrictions also do not work if a malicious user calls your endpoint from a command line or non reputable browser.

To make your endpoint secure, you should rely on ensuring the caller has proper authorization to use the endpoint.