Instead of sending the user's identity, you should consider authenticating against the API. Since SPFx solutions are client-side, it would be trivial for someone else to pretend they're calling the API on behalf of someone else. The following article explains the concept and available capabilities in more detail: https://docs.microsoft.com/en-us/sharepoint/dev/spfx/web-parts/guidance/connect-to-api-secured-with-...

@Russell Gove 

I'm two years late to the party, but I want to add my 2 cents to help others, who are looking for the same answers.

Goal

- Securely call Azure Function from an SPFx webpart/extension

- Prevent users from spoofing/faking their logins by passing them to the Azure Function

- Inside Azure function's trigger, retrieve the login information of the currently logged SPFx/SharePoint in user

Solution

- Follow this article to secure your Azure function with Azure AD. Instead of JavaScript - use C# + .NET Core: https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi

- Inside your Azure function HTTP trigger, inject ClaimsPrincipal claimsPrincipal. It will contain all  claims of the currently logged in user including login: