Talking about API Security and Authorized users

-I have a public Question about APIs security I have been using appwrite for 3 years now , And the best part of appwrite is the permissions handling and how it goes more secure every update , and how appwrite handles server site security very well ,

• I have a flutter app ( Android , IOS, no web ) for years I have been working hard to improve the client side security but I am always suffering from a part I didn't know how to handle it , when the hacking coming from authorized user , I have a lot of client side securities , like anti-reverse engineering , SSL pinning and more .. but when user break all of them with the advancement of hacking tools and get the session cookie and this cookie is already have an authorized access to the data ,
• He mimic the API request outside the app ( Postman or any other tool ) and download the data , I am logging all requests using reverse proxy "nginx" so that I can see the outside app request , validating request to make sure it's coming from app not effective he will mimic the exact app request so nothing new it's just effective to users who aren't authorized to data which is basically already secured by permissions .

So The Question is : is there a way to prevent the authorized users from hacking the data outside the apps by doing the API Request using their tokens or sessions cookies , or I will always get hacked like that and I need to find a better ways to prevent client side hacking ( which I see it's impossible nowadays with advancement of hacking tools ) ?