Specifying the AuthenticationSchemes on the following controller will only allow users who are authenticated with the cookies authentication scheme:
[Route("api/[controller]")]
[Authorize(ActiveAuthenticationSchemes ="Cookies")]
public class EmployeeController : Controller
{
}