The app should use tECDSA pub key retrieved from an IC canister to verify the Bearer token, not a key stored in an environment variable.
Usage of plain ECDSA token is almost as unsafe (against hacked canister hardware) as using a fixed secret.
I am writing my own implementation of a similar proxy with tECDSA support in a competing grant, which will contain reliable (tECDSA) authentication.
Not that there there is a complex algorithm that I discontinued in regard of more robust and simple usage of tECDSA for the canister.