I understand how to secure the function using https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api but that is overkill for my function as only ADB2C should be calling it.
How do I use a function key to secure it or is it not possible?
You just put the function key in the ServiceURL (as azure function provides), and set the rest api technical profile up for no authentication.