My development halted here so I eventually reached for another solution regarding authentication, so I will still be using your plugin!
Since I’m using another API on my backend I decided to proxy all requests to WP through that other API which itself has JWT authentication.
Then I just block any incoming requests from outside to /wp-json. My other API can reach this location through Basic auth which is safe enough since the calls are all done internally.
This is how I done for Apache if someone else is interested. Not the best solution but it will do for now.
<Location "/wp-json">
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
