yes that would be a good idea and that’s basically what twitch’s extension helper is doing for you already:
it supplies the extension iframe with a jwt which is signed by twitch using a secret shared between you(the developer) and twitch.
you can then use this jwt for backend calls to your EBS, making sure no thirdparty/non-legitimate will be answered by your EBS.
this is also explained in the extension docs 