Simple solution: JSON with API - only for authorized users, for everyone else - static content, collected entirely on the server side.
Each API function request is 2 requests to the API with receiving and executing on the client side an obfuscated JS task between them , and with a time limit between them from 1 to 3 seconds:
1st - request signature to API (or getting a public key) and getting a JS task
2nd - getting a response to a request to the API (if everything is correct and REFERER is allowed )
1. When loading the page, by requesting the API (via JS) on the API side, we generate a temporary public token (PUB-TOKEN) and a JS task based on the HTTP protocol parameters (IP, REFERER, etc ..).
2 Then, we execute the JS task and immediately exchange the PUB-TOKEN through a repeated request to the API ( using the JS code received from the API and obfuscated! ) for a public key (API-KEY).
3. API-KEY is saved in cookies.
*the page appeared in the browser*
We sign the request with the public API-KEY specifically for this client and again make two requests to the API:
1 Sending data to check the processing of the request and receiving a JS code with a temporary token (PUB-TOKEN). Execution of JS code with API-KEY, PUB-TOKEN, TIMESTAMP parameters.
2 Sending the result of executing the JS code and receiving the result of the request to the API.
0. All invalid requests and REASONS! their occurrence (for example, it is possible that, due to the connection speed, you will have to compensate for the PUB-TOKEN lifetime, increasing it to 5-10 seconds)!
1. All requests must be UNIQUE!
2. Do not allow requests to be reused.
3. The task code in JS for obtaining a public key or executing requests to the API must:

• be dynamically generated on the API side and be unique (polymorphism)
  
• be extremely difficult to analyze
  
• as much as possible: check that the runtime is a real browser
  
• execute quickly on the client side
  

With CORS, you can control who is allowed to make
CORS requests.

1) And "on the forehead" with the help of iptables? same IP?
2) api.web.ru = 127.0.0.1 ...
3) Using web servers (for example, apache - allow? deny?)
4) ..htaccess - I don't remember rewritemod works with ip addresses...

If the request is made from the client, then in general there is no way to prevent the client from forging the request. But you can complicate it (obfuscation, Referer, CORS and all that).

We in the api signs the request. And we check who sends requests to us.
Key, signature, data. And on the api side, we check whether the signed data converges. If yes, then let the user.
If not, redirect.

Log in through your api, issue a jwt token to the client. The client will send the token on further requests.
Will solve all your problems.