Certificate pinning would help to prevent sniffing traffic with tools like mitmproxy, but once you decompile the binary, you can disable certificate validation.

I'm curious, in your case did you consider preventing using your API by third-party clients?