What is best approach to securing an ASP.NET Core Web API when the client is an ASP.NET MVC app

Question

I have an old .NET Framework MVC application. I'd like to put new business logic in an NET 6.0 Web API. The old MVC app uses cookie based authentication.

Below is part of the ConfigureAuth method. I'm including this so the authentication mechanism is clear and you don't rely on my rather poor understanding of this area in specifying what mechanism is used.

app.CreatePerOwinContext(Context.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });     

I'd like the ASP.NET Core Web API to be only accessible by authenticated users of the MVC app. I'd like the web API to know the identity of the user that has been authenticated with the MVC app. I'd like the Web API to be callable from the browser and from controllers of the MVC app. How do I approach this? I have spent time browsing topics in this area and am quite confused.