I implemented AppCheck to protect a backend endpoint but it doesn't work as intended.
So far the basics work, as I followed the instructions for NodeJs (backend) and Android (with the PlayIntegrity provider). I also configured everything in Firebase and Google Cloud console. My API endpoint is "protected", as I can't access it without an appCheckToken.
The problem is, that I uploaded my app to the Google Play console and released it as an internal test. In the Play console settings for PlayIntegrity I configured, that it should require MEETS_STRONG_INTEGRITY. When I install the test build on a device that only passes MEETS_BASIC_INTEGRITY (tested with Simple Play Integrity Checker app), it can still access the protected resource.
Are there any additional settings I need to take care of?
How can I make sure, that only devices that pass MEETS_STRONG_INTEGRITY can access my resource?