☒ Can you explain your requirements a bit more? I understand that you're wanting to prevent anything from calling your application except for your application specifically (whether front end or back end). For your particular example with the /users.json, is there any checks in place on that action to only return authorized users, rate limiting, pagination, etc? Is your front end completely separated from the back end?
Unauthorized users should return 401. You should pass a cookie with the session or a JWT to validate a user's access to the resource.