The rate limits docs
Gives no opinion on the validation endpoint
So you should be fine. For the most part you’ll probably only need to validate for the users that are also playing. But you’ll probably also only want to validate, when they login.
Which may minimize the number of requests involved.