I'm currently building a webapp with React.
We are using an embedded PowerBI report by fetching the credentials from an App Registration with service principal in Azure active directory because we want this webapp to be accessible by multiple clients without any individual powerbi licenses.

This works as expected, however we have some security concerns because in order to setup the powerbi client library we have to provide it with the report ID, the report embed url and the accesstoken from the App Registration.

The front end does a request to the back end which will do all needed requests for Oauth and will return the needed data back to the front end. Since this data comes in our front end from the back end with a fetch request users are able to view the request in the developer console of their browser.

How can we prevent that clients will use our accesstoken and report in order to view data from other clients?

I have found this in the documentation but I don't see how this could me in this situation.

Edit: Our setup might be a little bit atypical since we are using this as an "embed for your customers" application. People log in in our platform and are able to see data in te powerbi iframe based on who they are because we pass filters when initializing the iframe.
We want to prevent customers from being able to view ALL data without the filter which they are able to when they have the accesstoken, report id en report embed URL.