The game key can be easily discovered through Javascript/Client.
To prevent hacking and abuse, I would suggest having a Domain Whitelist option so the API can only accept client connections originating from a domain or domain list given by the developer. The Google reCaptcha project which is a widely used website verification tool has been using this method (whitelisting domains, including localhost for testing) and it works perfectly.
For Javascript using web to mobile apps like PhoneGap/Ionic, you could have it checked through package names (com.example.app) for validation.
Or is there a way that this can be done through Server C# Code, how?