I mean the dirt simple way would be to authenticate the user's account, return some JWT/cookie, and then when you make requests to the API, pair that token w/ the VIN. If the VIN doesn't belong to that token (or the token itself is invalid), 403 it.

Well yes, there are many ways this can be solved properly, but this doesn't mean they used any of those.

P.S.: not that it matters, but - 401?

I'd use 403 for it. 401 is similar, but would apply more to "you typed in the wrong password" than "you tried to circumvent the security".

The difference is narrow, though, and really it's just semantics so both would be valid IMO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403