Certificate Pinning is highly recommended. OWASP has outlined the Who, What, Why and How.
Static keys (as opposed to user generated keys with randomness) need to be, at a minimum, obfuscated away. There are many ways (and in complexity) to do this (e.g. at a minimum, Proguard for Android) and Carve Systems has a good write-up on this.
It should go without saying, but all APIs (not just GraphQL) should only be served over HTTPS and every request authenticated (e.g. HMAC and many libraries in all languages already implement this).
Common attacks on a GraphQL API with best practices and recommendations outlined here by OWASP.
A good GraphQL security audit tool here.