attach the token to the Websocket URL in the query params. I.e: ws://localhost:4000/ws?token=...
In the server, in the connection established event, get the sessions URL (I supposed you have access to it although I can't recall), and get the search params from it.
validate the token, and if not validated - manually disconnect the websocket from the server.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I suggest this solution:
ws://localhost:4000/ws?token=...