I don’t think it’s cordova-specific. Native apps are in the same boat. If the server is looking for a specific string in a specific header, and that string is available in the app binary (which it must be in order for the app to send it), anybody sufficiently knowledgeable and motivated can extract it and pretend to be the “genuine app” as a client.
Now I guess you could use a different protocol here instead of HTTP, but that is a pretty daunting task. TLS client authentication is a massive PITA, much more of a hassle for users than a typical signup process (which you apparently don’t even want to impose).
You could put rate limits by IP address, I suppose, if you wanted to stop wholesale usage, but pretty much anything else I can think of is going to be strictly on the server side, having nothing to do with communication between the app and the API itself. Sorry to be the bearer of bad news.