I did start out this way, but I was trying to make something that would achieve the goal without requiring any changes to my application code. Setting the HTTPS_PROXY environment variable on the app server and adding the internal CA cert to the set of trusted authorities s is all that's required to get it working now, which is nice.
The thing you've described is still a MitM (the "protected API" can still see all of the request contents on their way to the destination).
The thing you've described is still a MitM (the "protected API" can still see all of the request contents on their way to the destination).