I have not seen any official way to do this; however a load balancer that does http url inspection should be able to handle this. If the URL does not contain */api/* fail it.
Would be nice to see a "Allow WebGUI" role but does not look like this exists currently.