I am new to IBM ISAM and webseal.
How do backend web applications verify that the IV headers (e.g. iv-user) is created by webseal and not some malicious third party?
It doesn't :)
Generally a sort of IP filter or similar is the best to use here, so the application can ensure that the request originates from a known webseal server.
An alternative to iv-* headers is to create some sort of signed token such as a JWT token that can be verified by the application.