The wisdom of a thin controller is that if you need to test your controller in isolation then you need to stub the dependencies of your request and response. It also violates the single responsibility principal because the controller could have multiple reasons to change.
Seemingly, the alternative is to settle on having fat models. This results in having domain logic right next to your persistence logic. If you ever want to change your persistence layer you're going to be in for a painful time. That's a bit of a cargo cult argument because honestly who does that, but it's also a violation of the single responsibility principal.
One way to decouple your domain logic from both persistence and controller is to use the "repository pattern".
Here we encapsulate domain logic into a data service. This layer deals exclusively with implementing your domain logic and is entirely reliant on using the repository layer to fetch data.
The repository layer takes care of sorting, aggregating, and filtering your data. It doesn't have intelligence beyond these basic functions. It is unable to make a call directly to the actual data store but rather uses an entity to do so. This keeps the mechanism of retrieving data from storage separate from the logic required to massage it into a shape that is useful to your data service.
In code I usually namespace the domain to keep it clear what I'm trying to do. So I'd end up with namespaces something like this:
The "Contract" namespace is where I keep my interfaces. I personally like grouping them up like that, but your mileage may vary.
If you're looking for more concrete code examples, I blogged about this many years ago (here). I'm not sure that adding code to the explanation actually helps to improve understanding though. The principal of what we're trying to do is to decouple our domain logic from our persistence mechanism and our controller logic. We want to adhere to SOLID principals and have code that we can test and maintain without swearing.