if any hacker get oauth 2.0 token then he can call the api using authorization header ?

Yes an OAuth2.0 bearer token is a bearer token. The holder or bearer of the token can present the token when requesting service. The token is a secret. Don't lose it, don't leak it. Any party that holds the token can use it to request service.

how to secure that

Take normal precautions: Use TLS, don't log tokens, don't send tokens in query strings.

EDIT

I forgot to mention the possibility to use token binding.

If you use Mutual-TLS, the client presents a certificate at the transport layer, even when requesting a token. If that's your case, then there is an option to "bind" oauth tokens to the mTLS certificate. The way to do this is extract the cert fingerprint, or the subject DN, and attach that as a custom attribute to the token at the time of generation. Then later, when the client presents the token for service, you can configure Apigee to first, verify the token, and 2nd verify that the fingerprint or DN that was used during the request-for-token is the same as the fingerprint or DN that is used in the current request for service. If the certs differ, then Apigee can raise a fault, rejecting the request.

Some people call this "token binding". Or "Binding the token to the TLS Certificate".

You may also be able to do the same thing, but using the TLS session ID. That would not require mutual TLS. You could do that using 1-way TLS.

Here is a reference for the variables that would help you enforce token binding.