"gRPCurl -insecure" getting around secure TLS connection can see data in clear

[gRPCoder]

I built what I thought was as secure Go gRPC app, we have a RootCA signed certificate working and everything pretty much works.

Little did I know, you can use a tool like "gRPCurl -insecure" and grab (my) data as if TLS wasn't even there.  I missed something in the way gRPC binds and makes endpoints available.  I need to be able to LOCK DOWN endpoints so that only TLS secure connections (that I further inspect and process) are allowed, somehow, even with all the effort to setup TLS, it still is quite easy to bypass with a tool like gRPCurl.

What am I doing wrong, is there a config file I need to set up, do I need to pass a parameter to the network binding, is this a public private scoping issue at the code level--I'm lost? 

My two questions are:

1) Is there a way to force *secure only* connections?

2) Is it better in gRPC to check security (e.g. jwt tokens) at the call level or can gRPC be secured at a session level.  Is there even a concept of a SESSION in gRPC, or is it better thought of as a multiplex of independent connections that each need to be managed independently.