Consuming and securing own API (Sanctum vs Passport vs ?)

I've been looking at various ways to secure an internal API: Laravel Sanctum, Passport and JWT (https://github.com/tymondesigns/jwt-auth). What I'm looking for is to secure an API being consumed by an SPA that doesn't require user login. I just want to make it harder for any of the API's routes to be accessed from anywhere but my SPA. I can put in rules for the domain, or the IP, but ultimately I would like a token of some kind that changes often (maybe even every session) and one that doesn't write to the database.

Is there a best practice to do so?