this is not possible.
the static web app is acting as a proxy to azure function, exposing the azure function end point to the internet. because of the proxy, your static app does not require CORS. this will prevent another browser based javascript app from calling the proxy, but not a desktop/server app.
this is no different than using a screen scrapper to call a web sites backend. your api should validate the user authenication and data. it should never count on being called by the official app, same as a website postback.