I was able to figure it out. You have to use App Proxies.
Once you set that up, you can determine the ID of the logged in user who sent the request by reading the logged_in_customer_id query parameter, and you can make sure that the request came from Shopify by verifying the signature query parameter. For a Node.js app, you can verify the signature using the shopify-application-proxy-verification npm library.
Hope that helps anyone in a similar situation!