I would rather that you didn't do this, please.
You are correct that I am currently not doing very much to prevent this, other than standard CORS which would prevent you doing it from a webpage. I know there are ways that you could workaround that, such as by running a proxy, and it would mean additional effort on my part to do more to enforce my request - so for now, I'm just asking - please don't publish public web-pages driven by the APIs that I provide.
My primary concern is the risk of your students publishing private API keys used to secure the Machine Learning for Kids API on a public unauthenticated and unprotected webpage, so if you would ensure that students only host those webpages on a private internal network and not on the Internet, or require a secure form of authentication to access it, then this would go some way to mitigate that concern.
Kind regards
Dale