I used the following URL format for my Stripe webhook destination in a Vercel preview deployment

https://<your-preview-url>/api/stripe-webhook?x-vercel-protection-bypass=<YOUR_SECRET>

According to Vercel Docs the x-vercel-protection-bypass token can be passed either as an HTTP header (recommended) or as a query parameter

https://vercel.com/docs/deployment-protection/methods-to-bypass-deployment-protection/protection-bypass-automation