How to validate the source of a script tag

9 1 1

I have a script tag that successfully retrieves the payload from my server but I can't find an acceptable method for validating the source.  There doesn't seem to be an hmac available to check against.  How can I know this is from shopify since it a) runs via front end so waf rules can't be used to whitelist the source ip b) There is no hmac to validate the source either.

I can't find any way to get this to be anywhere close to secure.  Can anyone from shopify please comment on how this should be authenticated?

Is there some way to use script tags and app proxies together to make the front end call into the back end so the hmac will be included?