API Management is a tool for managing API's. It provides functionality for you to deliver API's to your customers such as:
- Controlled exposure of API's letting you restrict what API's you reveal to the outside world
- Authenticaiton to your API's using subscription keys, Azure AD, JWT etc.
- Product and subscription management including self service through a developer portal
- Rate limiting and other security controls
- Custom policies to intercept and adapt requests as required
App Gateway on the other hand is essentially a layer 7 load balancer. You can put App Gateway as the entry point of your applicaitons and have it direct traffic to the right location. It provides:
- Security as a single point of entry into your application and the only thing exposed to the internet
- Routing to allow you to direct a public URL to a prive application URL, or have path based routing go to different apps etc.
- An optional Web Application Firewall to protect from OWASP top 10 attacks and similar
Which one you use depends on what service you are offering. If you just have a web application that is not exposing API's to the end user then generally APIM won't be of much benfefit and you can just implement App Gateway to handle routing and security. If you are offering API's then you may want the features of APIM to help you expose your API's securely and provide better services for the user. In this scenario you might also consider using App Gateway as well as APIM, primarily if you want to implement the Webb Application Firewall (WAF) features. APIM does not provide a WAF so if you want that protection you can look at App Gateway.
If you are purely implementing App Gateway for WAF, you could also look at Front Door, the Premium SKU also offers a WAF and can be less complex to implement than App Gateway. Front Door can also be used for global load balencing if needed, whereas App Gateway would require Traffic Manager to do that.