Came up with an answer that I believe is satisfactory, so I'm posting here. I actually used an HMAC solution, basing the hashkey on the parameters passed into the GitHub program. I run that program on a Github local runner, and start the webhook (on the same server) with the same parameters passed in, and the generated hashkey as an extra one.

The runbook behind the webhook generates its own hashkey from the same parameters, and compares it against the one passed in. If they don't match, I reject.

Hopefully this helps someone else.