If those requests are made on the client-side, there is no 100% secure way to make sure that the one making the request is your React app.

And in case the JWT token is "stolen" and used on Postman to make request, What is the problem? All data must be validated on both ends, client and server, so there shouldn't be a difference between the React app and Postman doing it.

Any "API Token" you send to the a client (user browser) can be extracted by the user. See https://stackoverflow.com/a/57103663 about this

To make sure your API is only used by your app, all API request must be done server-side. That probably means using some kind of React Framework to do server side rendering.