If it's AWS, the quickest path to doing this securely is AWS API Gateway mTLS authN[0]. You generate some certs, stuff the public halves in S3, slap an ACM cert on the Gateway, and you're done.
I have also used certificate authentication on TLS-terminating reverse proxies (e.g., this is easy to do with HAProxy) to do the same in other environments. You can pin the API's certificate on the client end in order to further reduce MITM risks.
If you don't want to supply a client certificate in your client application, Stunnel[1] is an acceptable wrapper that lets your clients remain TLS-unaware. You could use it for both ends of the tunnel, if you felt like it.
Either way, you end up with a secure tunnel through the internet to the proxy, at which point you're back inside private networks.
(Source: I build this kind of thing for a living.)
I have also used certificate authentication on TLS-terminating reverse proxies (e.g., this is easy to do with HAProxy) to do the same in other environments. You can pin the API's certificate on the client end in order to further reduce MITM risks.
If you don't want to supply a client certificate in your client application, Stunnel[1] is an acceptable wrapper that lets your clients remain TLS-unaware. You could use it for both ends of the tunnel, if you felt like it.
Either way, you end up with a secure tunnel through the internet to the proxy, at which point you're back inside private networks.
(Source: I build this kind of thing for a living.)
[0]: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-...
[1]: https://www.stunnel.org/auth.html