I think if you build your apps for production you are not able to debug your apps that easy.
But thats a topic i tried to find a solution, but for apps it is very hard to do it.
The only thing you can do is, to indentify your app via request-headers or build an authorization mechanism.
Like someone starts the app --> needs to generate an generic authkey build via user-agent string and all meta data like browser, os and so on. So you can identify a device with that key.
For cordova apps you can use the unique UUID of the device!
THis key has to be sent with every other api call.
If someone steals the key --> he needs to know full user-agent info of the device.
But then he could call the authentication request on his own and so on…
SO you only can make it not that easy to avoid unwanted request to your api