Private authentication algorithm - web security

I'm working on a project which generates audio from text(TTS) and provides player with speed/pitch control to users.

My question is related to request security.

The user got widget_id during registration on my site, he put some js in his site, and api works on his site. When the user click on send button, the api.js file sends ajax POST request to my site with widget_id data as well. Then on my side I got the widget_id and the referer:

$referer = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : '';

I'm getting the site value related to the widget_id from my database, and comparing it with $referer.

... if($website_url == $referer) { $website_checked = true; } ...

So my question is: can the attacker using some lib(maybe Curl) change the $_SERVER["HTTP_REFERER"] value, and broke my security?

for example if he use curl and the code:

curl_setopt($ch, CURLOPT_REFERER, 'https://anysite.io/');

Thanks.

So I've updated the question cause as I was thinking that can not be trusted. So please the basic steps of Private authentication algorithm...

Update3: So I started a bounty cause I need to understand the algorithm of Private Authentication in my scenario.

from Private authentication algorithm - web security