Hi,
I have set up a Prize Table linked to a Leaderboard, which in turn calls my Azure Function. To integrate this, I added my Azure function with its function key to Playfab's CloudScript. This means my function can also be accessed through the ExecuteFunction API, allowing any player to trigger it. I need to ensure that only the Prize Table is able to call my API.
Usually, I would convert CloudScript context into a FunctionExecutionContext and verify that the CallerEntityProfile property indicates it is a title. However, I can't do that because the Prize Table triggers a PlayStream event, which doesn't indicate who initiated it. There's a common property called 'SourceType' that is set to 'BackEnd', but I'm not sure if that's enough to prevent players from calling my function themselves.
What's the best way to ensure, within my Azure Function, that only the Prize Table is calling the API and not a player?