I think the problem that you are talking about is if the only protection is an ORIGIN or Referer header check, so cant spoof it ? Yes it can be , but not effectively from a browser.

Maptiler and other api providers rely on browser-level security . so when they say something like Only allow requests from certain HTTP origins , it means : only requests made from browser will have a reliable origin or referer header.
so what if someone trys to call their api from curl(for example) ? he should forges the origin too, and ofc it wont work unless CORS allow it , and he should also spoof the context of browser (which is much harder).

CORS + frontend-only usage + origin restriction will protect your api key. Maptiler checks the origin or referer from browser requests . They dont enable CORS for non-whitelisted domains.
about spoofing the headers , CORS preflight checks won’t pass , and they won’t receive a response in browser JS context due to the same-origin-policy .

Of course this is not true secure , it is risk control . it jsut raises the bar by making it non-trivial .

You can try rate limiting + qoutas on maptiler dashboard , and obfuscation and ... .