Seems like the perfect use-case for HTTP headers (e.g., Slack does this).

The header (e.g. something like X-Signature) would contain the signature for the request body. (Note that you have to format the JSON response exactly the same way for the signature to work – simple way would be “sorted keys, zero whitespace”)