EventSub is a WebHook “Style” notification platform
So when you call “Create subscription” - Reference | Twitch Developers
Twitch will then make a HTTPS POST request to your transport → callback defined in your Payload.
And when Twitch makes that HTTPS POST call to your callback you verify the payload is from Twitch and expected, then echo back the challenge from the POST body. Then if this step is completed OK then Twitch will treate the subscription callback as verified
The callback needs to be protected by a “real” SSL Certificate. And be a URL/WebServer that is publically accessable.