In the demo, isn't the original Web API on Azure Websites still exposed and unsecured?
- You created a Web API
- Uploaded it to App Services and is available on on bricks1...azurewebsites.net
- You created a power app on top of this based on the swagger metadata, and it gave you a new secured URI at azure-apim.net
The original is still unsecured and available publicly, so that people could bypass the security layer?