Disable external access to REST API Endpoint

I’m playing around with the WP REST API and have setup a route that is used to create a new user when a form is submitted from the homepage. Here is how I setup the endpoint:

add_action('init', 'test_init');

function test_init() {
   // register the route
   add_action('rest_api_init', function () {
     register_rest_route( 'test/api/v1', '/user/add', array(
         'methods' => 'POST',
         'callback' => 'test_add_user',
     ));
   });
}

function test_add_user() {
   // make sure all data is available
   if (!isset($_POST['firstname'], 
              $_POST['surname'],
              $_POST['email'],
              $_POST['password'])) {
      exit;
   }

   // check so the user not already exists
   if (username_exists($_POST['firstname'])) {
      exit;
   }

   // create a new user
   $user = array(
      'user_pass' =>  $_POST['password'],
      'user_login' => $_POST['firstname'],
      'user_email' => $_POST['email'],
      'first_name' => $_POST['firstname'],
      'last_name' => $_POST['surname'],
      'role' => 'author'
    );

    $user_id = wp_insert_user($user);

    // return the id of the created user
    echo json_encode(array('id' => $user_id));
    exit;
}

What I’m wondering is how to best prevent external access to this route? I only want data from the actual form on the homepage to be able to post data to this endpoint.

I tried to check the origin in the callback, but I’m unsure if this is the correct way to do this:

function test_add_user() {
   // only allow request from the same origin
   if (get_http_origin() != home_url()) {
     exit;
   }

   ...
}

I though about perhaps using nonces or something along that line?

Perhaps I also should mention that the user submitting the form is not logged in so I cannot use a cookie based authentication or similar.

I would suggest to not use WP REST API for this purpose, since it’s being used on homepage and not any remote app/service.

The REST API is supposed to grant access to any already publicly available data to a remote developer.
Since you’re not providing any public data but registering users from homepage, Ajax might be a good alternative.
From official WordPress REST API Handbook

WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON (JavaScript Object Notation) objects. 

However this is not its only use case.

I would suggest to use Ajax for this purpose.

• Include the nonce with Ajax request.

• Hook the Ajax request handler with wp_ajax_nopriv action.

This makes sure the user is not logged in and the nonce makes sure that the form was generated by WordPress.

There are plugins already available for Ajax user registration, premium and free, WordPress plugins repository will be a good start.
I hope this alternative approach helps.