Hi, I am developing a SPA with Laravel and Vue and using Sanctum cookie based authentication for the SPA (same domain for backend and front end). I have all my API endpoints in the api routes file, and planning to make the API available for third parties down the line. I have come across the following scenario.

There is a API route for to save data from a contact form on the SPA and the users DO NOT need to be logged in to use the contact form (imaging a public facing "Contact Us" page where any un-authenticated user can use the form to post a message. So any visitor this form should be able to use the form (hence consume the API without authenticating), from within the hosted domain. However, I need to protect this endpoint from third party unauthorised use (from outside the hosted domain), hence need to protect it at app access level. I cannot assign sanctum:auth middleware to the endpoint route as it will then force the enduser to login to the system to use this form from within the hosted domain. I can protect this endpoint at app level using a token based approach (as if that I am using a third party API backend), but wondering if the cookie based approach in Sanctum has a solution to this. I am sure there has to be a quick and easy solution to this in Sanctum SPA cookie based auth as this is very common scenario. Any help is much appreciated. I have done an extensive search online, but cannot find a solution. Happy to share the codes if needed. Many thanks once again