Any protocol you come up with can be reverse engineered, so I wouldn’t waste any time on attempting to obfuscate it. If someone makes a custom client that can login to your service, well, they can do that now, but they can’t really do anything useful with it, so they successfully wasted their time…
We just send simple POST requests to our web service with a payload in json format. All connections made by the game client are encrypted using TLS 1.2.