AA will send its Public Key as part of the signed transaction. BB will use that public key to decrypt the transaction hash sent by AA and verify that public belongs to the private key through which transaction was signed.

Now important part is how will BB knows that this public key belongs to same address through which payment is outgoing. That is simple because addresses are created using public keys. ADDRESS = base58(ripemd-160(sha256(public key))) So BB will use above formula to check if the public key belongs to the same address.

AA will send its Public Key as part of the signed transaction. BB will use that public key to decrypt the transaction hash sent by AA and verify that public key actual belongs to AA's private key.

Now important part is how will BB knows that this public key belongs to AA's address and AA has not signed transaction on UTXOs belonging to other random addresses.

Well this verification is easy as addresses are created using public keys.

ADDRESS = base58(ripemd-160(sha256(public key)))

So BB will use above formula to check if the public key belongs to same address which is used by AA to spend the transaction.