The bank I used to use had a per-verification request code that the app showed. If the party dealing with you knew the code, you could be sure they were the party who initiated the verification request.
But you said you read back the code. It should be the other way around--*you* compare the code they give you with the code the app gives you. Give zero information until identity is confirmed.