Your users have to log in somehow, and you need to obtain their access_token after the fact. You can send them to the login screen like normal, but they would end up in the Backoffice afterwards. If you register your own OpenId descriptor, you can set the allowed redirect URL to be back to your frontend. That was my approach.
Great if you can show things with Razor instead. The equivalent to the UmbracoAuthorizedApiController would be ManagementApiControllerBase and an added Authorize filter, like so:
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
public class MyControllerBase : ManagementApiControllerBase
{}
That hooks your controller up to the .NET authentication, and you can query them using the Backoffice access_token or the token from an API User.