Azure SSO access token

Hello, I’m creating a react website (front end) with a backend running a mongoDb and some api calls to this Db. I just implemented SSO login to my website and I was wondering how you guys are protecting your API calls? I want to protect the API calls so only the users who have access to this website can use the API calls (through the website only). I did try to just attach the logged in users IdToken (not access token) to the api calls header, then try to do some magic on the api calls but I want to know the right way to do this..

Note: the reason why I use IdToken is because when I want to get access Token I saw I had to use scope: Users.Read But as soon as I add this to the login request scope my login want me to “Request for Approval” and I can’t login and request doesn’t work (company stuff…)