You have two issues.
The first is how the web form app passes the user login information to the web api site. Typically this is done with a header.
The second is how the webapi verifies that the call is from the web form application, and not another source. You can use certificates, point to point firewall rules, authentication (different from the web form authentication), or shared encryption keys.
Another approach is to use a jwt token created by the web form application, that it passes to the webapi application when it makes a call. The webapi application then calls back to the web form application (login server) to verify the jwt token or uses shared encryption keys.