How to secure API calls from reverse engineering in a distributed commercial app?

I’m working on a desktop application that I’ll be distributing to users. The app interacts with a database hosted on AWS via an API. While I’m aware of methods like API keys and other authentication mechanisms, my main concern is making these API calls as resistant as possible to reverse engineering.

Here are my questions I’m trying to address:

1. How can I make the API calls from my application harder to reverse engineer?
2. What steps can I take to prevent users from intercepting or replicating these calls, even if they manage to decompile the app?
3. What’s the best way to protect authentication credentials in the distributed compiled code?

Since this app will be widely distributed, I want to prevent unauthorized users from accessing my database directly by mimicking or hijacking the API calls. I understand that no system is completely secure, but my goal is to make it as difficult as possible for someone to extract and exploit these communications.

The app is being built in C++ and API is communicating with DB deployed on AWS. Whats the best way to secure the API? Thanks!