Thank you MikeUrnum & MuthuKumaranMurugaachari.
I just discovered that the underlying premise of my question was false. Having a ocp-apim-subscription-key to guard my APIM API is an option, not a requirement.
So obviously you only request a subscription & subscription key if you don't want to make it available to the general public so there is no need to store the ocp-apim-subscription-key in the source code. Instead, just to click the check box for a subscription...
I apologize for the confusion.
Now Mike does raise an interesting point!
Let's assume bing.com is implemented with a static web site with AJAX calls to azure function apps.
Such a site would have to abandon the ocp-apim-subscription-key feature if you wanted everyone to use it!
Could APIM provide sufficient protection to make such an implementation feasible (safe)?
I think this should be the subject of a different post and I'm going to mark this post answered.