In order to even do a request you need to have the API key, setup the device/session and sign requests while sending all the required headers. That seems like enough security to me to ensure someone doesn't start sending requests without permission.
I would understand if Bunq had a web app and a attacker could use the user's cookies to do requests but I don't see why that is a problem for this API.