In line with @cyclops answer, you could check Meteor.isCordova. Essentially you could block your router (FlowRouter if you are following the guide) to prevent a browser from rendering the page.
Personally, I use the online version of our app to check the admin side, so I don’t necessarily want to block it, just limit it.
Why are you trying to block access via the web browser? If it’s just because your client side isn’t designed/optimized for the browser (and your server will block any erroneous calls) then a simple check of Meteor.isCordova that determines which template to render should be fine.
However you’re asking if app.mydomain.com is insecure - those who are dedicated to accessing your application from a browser will be able to 1) spoof the necessary environment variables to use your client or 2) access your methods directly through their own client.
There’s nothing you can do to 100% verify they are using only the client you want them to.