No you can't really secure an API endpoint to only allow specific callers without locking it down so it isn't public (e.g. by IP), or you can secure the client (trusted client infrastructure). Since you can't do that with a mobile app, etc., no you are screwed.
However, that means you have to look into other options, like instead of securing the client, secure the USER. Then it's up to the user to trust the client they are using with their password.
Or, once you realize that the server side is the only thing that can be protected, you go full OAuth, and require the app to redirect to your trusted servers for authentication (e.g., user creds never go through app), and the user "grants" the app the ability to act in your stead with a ticket that is a stand in for an authenticated "session" (A lot like a power of attorney actually).
OAuth inherently wants you to use very short lived tickets (a few minutes), and refresh tokens to establish a longer lived session that refreshes the real ticket after an expiration without having to task the user with logging in again to get a new one.
And yes, you can steal those. It's essentially like cookie / session hijacking, and for the same reasons that sessions should be short lived, an auth token should be short lived.
