How to only allow the dapp to call a function

How can a function only be callable by the dapp itself.

Say you have an AMM and want only calls that originate from the AMM's backend to be accepted by the contract?

I understand that onlyOwner can be used normally, but in this case the user of the platform will be calling every time.. so many different addresses.

I thought about hashing a secret key with the data being sent and having the contract decrypt and check it before deciding to execute but:

a) I'm not sure if that's super expensive computationally or not.
b) The contract would also need the key to decrypt afaik, which would be stored and viewable.

Possibly creating a private variable with the key in it as bytes and then using that? But is there any way the key would leak into tx data and become public?

Check out Access Control Library by OZ

Thanks I've used AccessControl a bit, but it doesn't seem to solve the problem I'm having.

I'd like any user that calls a method on the contract via the dapp UI to be able to do so, but if the same user tried to call from the same address directly to the contract, they wouldn't have permission.

Seems like using hashing is the only way to auth via the dapp, but I can't see how the contract can authenticate sigs from the dapp without exposing the key publicly.

IMO, the smart contract is unable to tell calls from the front end or another place, say etherscan, apart, even with the trick you are talking about. Whatever is passed to the smart contract from the front end can be recreated or copied and sent to the smart contract.