I don’t know of a way to do that - your client-side code needs to have some way of communicating with your server-side code, and some manner of publicly-accessible endpoint is the only way for the code running in your user’s browser to be able to communicate with the code running on the server in your Glitch project. Essentially you’re building an API for your bot.
You could use something like socket.io to hide the communication from the user a little bit, or you could put together some way of authenticating that the request is coming from your website (passing along a token that you match against a value stored in your
.env file, for instance). Or if you wanted to go all-out you could implement some sort of authentication using something like Auth0, but even that just adds a layer of misdirection and forces your user (which might also just be your website) to authenticate itself.
But by definition your site’s users will be able to see all of that code in their browser if they want to and can reverse engineer whatever you’re doing to protect your endpoint and access those methods.
Perhaps someone else has a different approach that I’m not thinking of.