I recently just followed a guide here that explains the setup process for token based authentication. One way that I can imagine passing some form of app specific identification would be using claims.
So you have website A which redirects you to your login system page. Website A also passed in some other data like where to take the user after login and where Website A is. Your authentication system looks at this data and using a switch of some form you append a claim to the users token that identifies their current app scope.
Also to help combat the user switching apps very fast and still having access to app resources for app1 while on app2 make your access_tokens expire very fast. In my running demo website built using above guide mine expire every minute, as well the implementation of a refresh_token makes everything easier. Another step that could be helpful is while appending claims to users also append a role to that user stating they're on a website.
Then on app1's /api/endpoint/getData set the [Authorize(Roles="App1")], this will ensure that only access_tokens that contain a role = App1 can use that endpoint then inside your javascript or whatever client side scripting your using simply do logical checks for errors such as not accessing a specific endpoint and maybe the user needs to get a new access_token using the refresh token and so on and so on.
Using that same guide I listed above, follow that link and search for this:
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
As you can see the identity is adding claims which are basically just values that are going to be encapsulated inside the access_token.
Now when a user calls into your web api that has an authorized attribute above it you simply do a check on that users claims.
