for deposit of tokens you can’t achieve such thing. As the address is publicly available anyone can deposit the tokens to the address.
I think there is no way to check if the calls are made from your deployed frontend canister directly. BUT you can use some tokenization way (for e.g. JWT).
read this post from @severin: How does canister state change when processing multiple messages that await inter-canister calls? - #5 by Severin