You cannot ensure that data came from a form. A POST request is just a POST request, it can be generated in any number of ways. An HTML form is just one of those ways that’s very user friendly. Your server needs to validate whether the data received via the POST request is valid or not and whether to act on it or not.

Having said that, there are things that can help you to restrict and validate the data that is being submitted. First of all, require that a user is logged in using (session) cookies. That eliminates random requests by anonymous users. Secondly, you can embed a token as a hidden field into the form which you also save into the user’s session. The POST request needs to contain that token in order to be valid. The token is simply a pseudo-random string.
You can enhance this by preparing a hash of the form fields that you expect the user to submit. If the form value should be read-only, you can include the value into the hash as well. E.g.:

$rand = md5(mt_rand());
$hash = sha1('lastname:firstname:email:' . $rand);

$_SESSION['rand'] = $rand;
$_SESSION['hash'] = $hash;

// on form submit:

$keys = array_keys($_POST);
$checkHash = sha1(join(':', $keys) . ':' . $_SESSION['rand']);
if ($checkHash != $_SESSION['hash']) {
    die('Form submission failed token validation');
}

That’s just a quick example, you’ll probably want to sort the keys alphabetically to make sure you’ll get the same hash etc. It demonstrates the concept of the user needing to have a unique token for each request though which prevents tempering with forms and submitting more or less data than wanted.

This still does not mean that a user actually used your form to submit the data though.