The PlayStore thing is quite involved.
You put code in your app to make a purchase. The store returns the sale details, which includes a token, on successful purchase. The store also sends a message direct to your webserver which needs to acknowledge it and then it receives all the information, including (?) the token which you store and then compare with what comes from the app.
That way you've got a token that users haven't had a chance to tamper with, via a route that the users don't have access to, that you can compare with what the app sends.
It's not very simple, but we are programmers, so that's fine :)