@Iammra , Thank you for reaching out. Based on the details shared above, that I understand is that you have a .NET web API published in your AAD tenant and some third party application is tries to access this Web API using the client_credentials flow.
The other 3rd party application is not registered in your AAD tenant and it makes a call to your Web API using the client_credentails flow is because you have provided the clientId and clientSecret to that 3rd party application. Only applications that have access to your Web API's clientID and clientSecret, only those applications would be able to fetch an access-token for your app from AAD by submitting your web api's credentials. AAD doesn't have a way to check who is making this call, and it only checks if the provided clientID and clientSecret are valid or not, if they are valid an access-token is issued to that app that made the request.
I did quite understand the hack way you mentioned above, it would be great if you can share some more details on that along with screenshots for us to understand that better and guide you accordingly.
But the summary is, whoever has you web Api's clientID and clientSecret, they can obtain and access-token from AAD for your web api.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.