[niwde]

Use Access-control-allow-origin and set it to only allow calls from a specific address.

[ssudaraka]

Can someone fake the origin?

[fimdomeio]

This is controlled on browser level and most (all?) browsers implement this. Origin can be faked by just using anything that can make a http request, like curl. It exists to protect users not the server.

[askthrowaway]

from browser ? No. from non-browser clients like curl ? Yes. And your server will never be able to tell if it is fake or not