Can't anybody pass any user that has bought the game?
Nope.
The Itch application passes an environment variable to your application that contains a session API key. It's unique to the user and dare I say impossible to forge. You then take that api key, and pass it as an authorization header to the https://itch.io/api/1/jwt/me endpoint. If you get a user JSON object back, then the key is valid and you can trust that they are who they say they are.
If you get an object back that contains anything else, like an error, then it's not valid.
I finally got this set up tonight. Here is a sample of what might be returned upon verifying a key against the API:
POST /api/1/jwt/me HTTP/1.1 Host: itch.io Authorization: The ITCHIO_API_KEY environment variable sent to your game
{ "user": { "gamer": false, "id": 509014, "url": "https://dobydigital.itch.io", "username": "dobydigital", "developer": true, "press_user": false } }
Here's what it might look like if you send an invalid token through:
{ "errors": [ "invalid base64" ] }
{ "errors": [ "header not HS256" ] }
Basically anything with error in it is invalid, so don't authenticate the user.