This question applies to all structurally equivalent scenarios but I am using a specific example to explain.

I wanted to use the MapTiler-API with their Leaflet-plugin for a super basic visualization but I was wondering that the example requires the API-key being passed in javascript. Doesn't feel secure at all as I obviously don't want anyone to make arbitrary requests using my token but only when they actually use my website. So I looked around a bit further and their documentation states:

If you have your map published only on certain websites, you can list
them in the Allowed HTTP origins field. For example, mydomain will
ensure, that only requests coming from mydomain will be processed. 
Use *.mydomain to allow requests from subdomains.
[...]

Documentation-Reference

That still seems weird to me as anyone could easily use curl or a bunch of other means to craft requests while setting the Origin-header to whatever they like.

What am I missing here that ensures that my token would not be abused with such a security-setup?