You can use a Lambda authorizer. The Lambda function will return a different policy to each API key that will specify which endpoints are allowed and which are denied.
Saying that, I am not sure this is the right approach. API keys should not be used for authorization. If you are using a Cognito authorizer, you could use scopes to protect the different endpoints.
Oh, I always thought API keys were for authorization. What should they be used for instead?
API Keys should be used for usage plans, i.e., limit the usage by different clients and throttle them if they exceed their quota.
Client API throttling in API GatewayAccepted Answerasked a year ago
How can API Gateway WebSockets be throttled per-user?Accepted Answerasked 2 years ago
API Gateway Count Metrics per API Keyasked 8 days ago
API Key per resource?asked 6 days ago
API Gateway Boto3 get_usage() - Running Total or just daily?asked 4 months ago
x-api-key for Usage Plansasked 3 years ago
How to associate an api key to an API Gateway websockets APIasked 3 years ago
Multiple API keys and the flow rate limit in the usage planAccepted Answer
Lambda Authorizer with API Key enabled on API Gatewayasked 2 months ago
About the flow restriction of multiple APIs associated with an usage planAccepted Answer