Because you control the client software so you just make a TLS client that has only your root trust anchor. This is exactly the same as CA/pubkey pinning from a threat model perspective.