As far as I know, the requests need to be sent through Shopify in order to append the HMAC signature and whatnot to the request headers. For example, in our Shopify web store I have some methods that send out requests to my middleware server for data via an app proxy. Same with embedded Shopify POS add-ins we have. In either case I validate those requests via the HMAC signature that Shopify is sending. But Shopify has to be the sender I believe. If Shopify isn’t the sender then those header specifics aren’t present.