Then just don’t make a public API. Make your web server build the HTML in the back-end and simply return it as a whole. KISS.

If you want to build a HTML/JS front-end that calls public JSON/whatever REST services, there will be hundreds of ways to call the services directly¹, even it means to simulate a browser (which is really not as hard as it sounds). The Captcha-based session seems like the only secure choice, but then why go as far as to force the user to do something so annoying, such as filling a Captcha along with every request², if you can simply use server-side HTML builders and get rid of the public API?

¹: I can’t think of any reason to be afraid of that, but I digress.

²: If it isn’t with every request, it must be a session with an expiration date. Until that date, a user can fill the Captcha, get the session ID and just throw it into a program that calls your public APIs.

If you don’t want your users to view the data in the format that is returned by the API to the client side JS, then you can do the client side processing/aggregation on the server itself and return the aggregated data via your API. This way the API will only return the data that the users are allowed to see and your JS framework works just as a presentation layer (you might do away with MVC on the client side).

There is no comprehensive way to prevent your users from accessing data that is accessed by your client side JS code. If it were a compiled app (java applet, etc) you could make it more difficult for the user to view the data from the API but even then the data can still be retrieved.