The correct (and only) place for authentication data, such as a custom nonce value, is in the request headers.
- You can't send it as part of the URL (including query param) because that would alter the resource you were trying to delete. Query parameters are part of the resource identifier, and anyone who tells you otherwise is lying.
- You can't send it in the body because the delete method has no request body.