This is not an official answer, but I'm looking to do the same and I think Chris confirmed that previously:
> That’s true, you can use an internet NEG to configure load balancer integration, but with the downside that the direct gateway URL is still available.
(he also confirmed this is how we could set up a custom domain for API GW currently).
There are some limitations with this approach, however, e.g. (my wording):
> However, the reason Cloud Armor is not effective for it yet is because internal-and-gclb ingress setting is not supported by API Gateway. So any Cloud Armor restrictions could be bypassed by making calls directly to the API Gateway endpoint.
That being said, the direct API Gateway is not inherently discoverable (even through DNS queries), so this may not be as much of a concern.
I haven't tried this yet, but very much looking to do it. If you try first, please let me know also if that works for you (I'll post back my findings also).