well if you include the APP in the gateway, it is no longer a 'gateway'; it is now an 'api application' with all security/rate limiting at the same routing layer.

The issue is the the networked abstraction of security/rate limiting etc to a separate network service wherein any 'internal forward' in the API application would bypass the gateway (see https://nvd.nist.gov/vuln/detail/CVE-2022-31692)

The HTTP protocol allows applications to forward/internally redirect a request inside the application to another endpoint without going outside the DMZ (see redirect). This is 200% faster and more secure than a redirect but API Gateways do not take this part of the HTTP protocol into consideration and thus can not secure these endpoint calls.

The only way to secure this is to duplicate ALL security in the API Gateway to your API application. This has been confirmed by Mulesoft, Tyk, Kong, Nginx, Apigee, and AWS (these are the ones I have consulted with).