Protection against php curl
Any data that creates, stores and sends the customer (in this case, the baruzer) may be sent to the server by Curl. Dynamic names of variables for data, csrf can be used, code insulation that sends and generates data, but there are no solutions that will guarantee 100 per cent of expected data from the client. Any insulation may be de-infected, any defence algorithm or encryption may be scattered.
The methods used will work only if the time and level of knowledge of the perpetrator is comparable to the value of the data obtained or the damage caused by the shipment of data other than the expected.
Try to rethink the task and do it on the server side, for example.