Custom data access using Lambda functions

We aim to utilize Amplify's offline and sync capabilities in our native apps while maintaining our existing authentication process. I understand that we can employ Lambda functions for custom data access to authenticate our tokens, but I'm uncertain about how we can limit data access to respective owners. Is there a method to include owner information in the Lambda function?

I referred to this link for token verification, which functions smoothly, allowing us to establish the userId during token validation. However, we're unsure about how to incorporate owner information from Lambda into the data. https://docs.amplify.aws/gen2/build-a-backend/data/customize-authz/custom-data-access-patterns/

  const response = {
    isAuthorized: isAuthorized,
    resolverContext: {
      // eslint-disable-next-line spellcheck/spell-checker
      userid: userId,
      author: userId,
      info: 'contextual information A',
      more_info: 'contextual information B'
    },
    deniedFields: [
      `arn:aws:appsync:${process.env.AWS_REGION}:${accountId}:apis/${apiId}/types/Event/fields/comments`,
      `Mutation.createEvent`
    ],
    ttlOverride: 300
  };

This is our schema

import {
  type ClientSchema,
  a,
  defineData,
  defineFunction
} from '@aws-amplify/backend';


const schema = a.schema({
  Todo: a
    .model({
      content: a.string(),
       author: a.string()
    })
    // STEP 1
    // Indicate which models / fields should use a custom authorization rule
//     .authorization([a.allow.public()])
    .authorization([a.allow.custom()])
});

export type Schema = ClientSchema<typeof schema>;

export const data = defineData({
  schema,
  authorizationModes: {
    defaultAuthorizationMode: 'lambda',
    // STEP 2
    // Pass in the function to be used for a custom authorization rule
    lambdaAuthorizationMode: {
      function: defineFunction({
        entry: './custom-authorizer.ts'
      }),
      // (Optional) STEP 3
      // Configure the token's time to live
      timeToLiveInSeconds: 300
    }
  }
}); 

At the moment, with any valid token we are able to query all the records created by all users, but we want to limit that to only the owner records. Exactly how the authorisation rule works for the owner We would appreciate any suggestions on how to accomplish this.