There's a lot to unpack here and this answer won't do it justice - I strongly recommend that you reach out to your local AWS Solutions Architect who can have a conversation with you in depth about this. If they can't, they can find a networking expert who can. That said:
I would always use an API Gateway instead of a firewall for API Gateway "type tasks" for many reasons. First, API Gateway is scalable and you only pay for what you use. You also get very find-grained controls down to the method level. You can modify requests and check for specific attributes - all without scaling your back end.
But: If you're dealing with other types of traffic (non HTTP) then a firewall might be the best choice.
You're right, API Gateway won't do everything for you. But neither will a firewall.
API Gateway and a FW Appliance will one do allasked a month ago
Will A Deprecated Gateway Stop Working?asked a year ago
Will We Ever Get a Forum?Accepted Answerasked 5 years ago
Firewall Appliance in front of API GatewayAccepted Answerasked 3 months ago
Is it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?Accepted Answerasked 2 years ago
Conflict between AWS site-to-site VPN (to a VPC) and non-AWS client VPNasked 3 years ago
How do we correctly link the DC Gateway into the VPC, is a VG required?Accepted Answerasked a year ago
Will adding VPN already in use to a new transit gateway cause an outage?Accepted Answerasked 4 years ago
When will we have PR preview feature for aws code commit ?asked a month ago
enable communication between multiple VPCs from a single VPN connection attached to my transit gatewayasked 2 months ago