Thinking about the security/use of the session ticket/authentication process.
At the moment the only use of authentication, is to obtain a playerID that link between all possible authentication method.
So what i am wondering, is how can I prevent a fake client to impersonate "legit" client apps and make request to the game server.
A hacker/cheater don't even have to bother with the client, as long as he know his username/password, he can get a valid session ticket from PlayFab and if he can reverse engineer the client code (which is not that hard with Unity and similar engine) nothing prevent him to contact the server and make request.
I understand that the game server is authoritative, and won't accept any request like give me 100k virtual currency, since it's not a valid Client/Server command.
But nothing prevent it to automate all the possible action that the client/server communication currently allow.
If it's out of scope of Playfab, don't hesitate to tell me.