Glad the errors were sorted; the problem with the simple mistakes (in this case a missing prefix in a variable name) is that they are sometimes the harder to find because our human brain just overlooks them. 
In relation to the overall approach I’m afraid that as soon as the client application (the caller of the API) can get deployed to an untrusted environment (in this case the end-user browser) there’s not much to do if you want to ensure that the calls are indeed coming from your application and not just a third-party. At least I’m not aware of any good approach because the easiest is for the caller to know a piece of information (credentials) that the API can validate and trust as only the caller having them.
This works with end-user because they will store that secret (password) in a way that no one else knows it. At least in theory, some end-user choose to store it in post-its and that also does not work.