I think you should look into the OIDC SSO module.
Unlike it's name suggests, this module can also be used to secure your 'back-end' Mendix app.
The 'first' app can pass the token in http header as a bearer token to the mendix app. OIDC SSO module can validate that token and OIDC SSO also has functionality to pass it on to a downstream api.
Hope this helps.