As to your questions.
1. Yes, you can make an external call via a cloud code logic as shown here.
2. You can parse a body or query string parameters sent to the cloud function. Then handle them as required. More information on query parameters is available here and an example how to handle the request body here. You can also consider calling your endpoint on this directly from the app.
3. In the context of a cloud function, you can have these variables/settings within the code logic. This seems like the simplest, yet applicable approach. However, this context will be available only for a given cloud function. I am making a note for this and we will consider the suggestion.
In addition, I’d suggest that you explore the data and business logic validation rules you can apply from within the Backend Services API. For example, you may want to use the Cloud Code events for a type cancel the request for a user that cannot be verified with your API, or mark all data types as read-only.
I hope that this helps. Let me know if you have further questions.