Dashboards in iframe for customers without possibility to execute API requests

I would like to provide my customers with dashboards in an iframe without providing them with a Matomo Account. For this I have to add a token in the iframe.
Is it possible to block a token for API requests? Or is it possible to allow API requests only from a certain network?

I made the following settings in my .htaccess:

<Files "*">
<If "(%{QUERY_STRING} =~ /^module\=API/)">
Require ip ::1
Require ip
Require ip myipaddress
Require ip ipaddress of server where dashboard is displayed
<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|^container_.*\.js|robots\.txt|$
        Require all granted

But now the dashboard in the iframe does not work anymore.

Is there another possibility?