Your contract contains two functions - the payable function which is called by your user, and an admin-only function called by your site called authorize. When a user will complete the KYC tasks on your site, the authorize function is called from your admin address with the user's address. This address is added to a map in the contract. And when the user calls the payable function, the function verifies the user's address is contained in the map, then issues tokens accordingly. If the user's address is not in the map, i.e. they have not been authorized by an admin, the function fails.