Restricting Access to Netlify Functions

I’m working on a Netlify function that will act as a proxy server for a client app that needs to access their Brightcove videos. Brightcove’s API requires a proxy to access it. (here’s an example: https://github.com/BrightcoveLearning/sample-proxy-apps). Seems like this is a pretty common and well-supported use case for lambda functions (see: https://github.com/depadiernos/token-hider-inator)

However, every example I’ve found acts as a public proxy, which is not what we want at all. We want to restrict access to the proxy to only the client app. I thought I should be able to do this with the Access-Control-Allow-Origin header, but this demo function I created doesn’t seem to work the way I’d expect. I would think this would block access to anything but a page on https://example.com, but when I visit the function in my browser, I can see the result just fine.

What am I missing?

exports.handler = async (event, context) => {
  console.log(event, context);
  return {
    statusCode: 200,
    headers: {
      "Access-Control-Allow-Origin": "https://example.com",
    },
    body: "Hello from the restricted function!"
  };
};

Deployed at: https://baptist-contentstack.netlify.com/.netlify/functions/hello_restricted

Welcome to our Netlify community site, @scott-cloud-four. Would our signed proxy redirects meet the requirements here?