I have an endpoint in my API like: api/users/{:userId}/...

I only want the user with userId to have access to his own endpoint and not to the endpoints of any other user.

I implemented a JWT Bearer token, which is used for authorization. I get the id from it and check if it matches the route the user wants to access:

[HttpGet("{userId:int}"), Authorize]
public async Task<ActionResult> GetUserById([FromRoute] int userId)
{
    var id = int.Parse(User.FindFirstValue(ClaimTypes.NameIdentifier));

    if (id != userId)
    {
        return BadRequest("Access denied.");
    }
    
    var user = await unitOfWork.UserRepository.GetUserByIdAsync(userId);
    
    if (user == null)  
        return NotFound("User not found");

    return Ok(user);
}

Now, I don't think this is the correct approach. The token can easily be tampered with and the id changed. How else could I do this?