Office Online Server doesn’t restrict access from web apps for its action URLs. One of the options is by restrict access via IIS. Here is a step-by-step guide on IIS 8.0 Dynamic IP Address Restrictions
In other words, Office Online does not do any authentication. Hosts are expected to handle authentication and authorization by providing WOPI access tokens. All user-related information is provided to Office Online by the host using properties in CheckFileInfo.
Access token
An access token is a string used by the host to determine the identity and permissions of the issuer of a WOPI request.
Access tokens must be valid for the user permissions that are provided by the host in the CheckFileInfo response. For example, if the view action is invoked, and the UserCanWrite property is set to true in the CheckFileInfo response, then the client may re-use that token when transitioning to edit mode. Thus, a WOPI client will expect that any access token is valid for operations that the user has permissions to perform. If a host wishes to issue access tokens that are more narrowly scoped, then the user permissions properties in the CheckFileInfo response must reflect the permissions that the token provides.
The WOPI host that stores the file has the information about user permissions, not the WOPI client. For this reason, the WOPI host must provide an access token that the client will then pass back to it on subsequent WOPI requests. When the WOPI host receives the token, it either validates it, or responds with an appropriate HTTP status code if the token is invalid or unauthorized.
For detail information on Access token, please refer to Key concepts under WOPI REST API References WOPI REST API Reference
Let me know if this answers your question.