I have done this in Module.php as it's called before any of the controllers.
Advantage of doing this in module.php
1)You don't have to do this in all the controllers
2)We can directly return error response from the Module.php if call is not authorized.