I am not aware of way to do this via configuration. I would use an application-level firewall and filter everything that wasn’t prefixed by /api
.
Of course, anything that can be done via the UI can be done via the API, but it would take a little more work on someone’s part to stand up the UI somewhere else.