Securing Apple Wallet Passes API / Log endpoint

I wonder about security around Apple Wallet Passes API hosted by passes' issuer - it sounds quite reasonable to assume that deviceLibraryIdentifier and serialNumber are (or should be) difficult to guess (even to be discovered by brute force program), but how to secure the Log endpoint (https://developer.apple.com/documentation/walletpasses/log_a_message) to ensure that "spam" log messages are not accepted from anyone, but only actual log messages from Apple are accepted?

Links:
https://developer.apple.com/library/archive/documentation/PassKit/Reference/PassKit_WebService/WebService.html
https://developer.apple.com/documentation/walletpasses

Securing Apple Wallet Passes API / Log endpoint
 
 
Q