This works if Windows Authentication can be enabled on the API.

Have the gMSA be the identity that the app pool runs under then set “UseDefaultCredentials” to true in your HttpClientHandler. Do not include an authorization header or credentials. The request will be made by the gMSA due to the app pool.