API endpoints captured as unauthenticated by RackAttack

Example logs:

1. Rack Attack logging as throttle_unauthenticated: https://log.gprd.gitlab.net/goto/b22def43df6b9df5b6eed065124f7db4
2. Rails logging as a known user: https://log.gprd.gitlab.net/goto/c4b50ae79cb77d42544f0e97638ec4e4

I have no idea where to even start with this, other than to suspect it's something similar to gitlab-org/gitlab!48903 (merged) perhaps?

Discovered after dropping the unauthenticated rate limit to 500/IP/minute (in dry-run mode), and although the actual traffic looks a little sus to me (iterating over user ids), the underlying auth vs unauth problem remains IMO, and warrants at least an explanation before we enforce the rate-limits (although maybe we'll class it as not worth fixing)

Proposal

Make sure RackAttack includes the same way of authentication the API does. So we don't miss anything. There is a PoC for that in gitlab-org/gitlab!50452 (closed)