Security Allow request only from Bubble


I am using bubble as front-end only and I have an external .NET api which has all my resources.
I actually use Bubble also for authentication. So the flow is that when a user Login in bubble, it the User Data Table (bubble) i also create a field access_token which correspond to an encryption of the userId.
So when i make a request from bubble to my API ex: /details/me, I attach the access_token which is decrypted by my API and access return the details corresponding to the userId.

So my doubts are about security : if the attacker get in possess of that access_token, he can forever make requests on behalf of the user. However I feel that it is still quite safe because that token is not exposed to the browser of the user but it is kept in the back-end database of So for an attacker the only way to enter in posses of it is to whether breach into or to intercept the request between and my API, which however is secret because only Bubble knows about my IP address.

So my question is how likely and risky are either one of this two scenarios to happen ?

I would have already found a solution, which is described in the title : is there a way to allow only Bubble to make request to my API (Azure) ? I know i can whitelist IP addresses but I don’t know if the address from which Bubble does the request changes all the time.

Thanks in advance,