How to safely call Azure Function with function level authorization in Xamarin mobile app?

Just to make sure I understand, your concern is about embedding secrets (the ?code=XXX value) in your iOS/Android app, correct? If so, yes, this is generally considered bad security practice. It's best to assume that anyone who can download your app will have the ability to discover these secrets and use them any way they want.

The recommended way to authenticate with a backend service, such as Azure Functions, from a mobile device is to use interactive authentication - i.e. some kind of OAuth flow. You can build it yourself, or you can use the built-in functionality of Azure Functions and Azure App Service to help you (Azure Functions is built on top of App Service). Here is a resource which might be useful:

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview

https://contos.io/working-with-identity-in-an-azure-function-1a981e10b900#.vcjit3ntw

The API Key (code) is indeed not meant to be used by clients you distribute externally, so it shouldn't be used by your mobile app.

The most straight forward option here would be to use the built in App Service Authentication features with Azure Functions and implement an authentication flow in your app, which would allow you to securely authenticate the user.

Sharing more information about your scenario may help identify alternatives.