Is it possible to authenticate with AWS Signature V4, and set access policies to backend API's based on the identity associated to the signature?
Or are signed messages only used for accessing AWS Infrastructure API's. e.g. The API Gateway API's and not the API's it is managing.
Yes you can. If you set the authorizationType on a method defined in API Gateway to AWS_IAM then the method can only be invoked if the request is signed by an AWS principal (a user or an assumed role) which is allowed to perform the execute-api:Invoke action on that method.
See https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html for details on how to specify the actions. In short, your policy should allow execute-api:Invoke for an ARN or ARNs with the format:
arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier
By assigning different policies to different principals each principal can have a different level of access. For instance you could have a policy which allowed all HTTP-VERBs which is a read-write level of access, and another which only allowed GET, HEAD and OPTIONS as a read-only level of access to the API. Or you could use different resource-path-specifiers to only allow certain resource paths for each principal.
