I was making a small app (.Net web api backend service and angularjs for frontend) just to learn these frameworks, started to like project itself and thought it would be nice to deploy it...

However thing my .net rest service is as public as it gets, at the moment anyone can crud exposed through api objects and obviously I don't want somebody clearing my database once in a while. I don't really store any sensitive information, it's small web game, all I store in db are things like items, locations, game lobbies, players (only id, username and reference columns), but still deleting them will cause big problems somewhere.

So what how can I prevent this? My first thought is that it would be solved as long as nobody discovers my api address by somehow hiding API calls from user. Is this possible and realistic solution?

You cannot hide your API calls from the client, no matter what you do they could always use a packet sniffer like Wireshark to see what your app is doing.

You need to build a safer API that only allows users to manipulate their account. You can control their access by assigning tokens, like the way oAuth works.