Exposing an image API to the public via a domain subdirectory (Apache2, bearer token authentication)

Question

I own an API that retrieves images from a middleware. It requires a bearer token to anthenticate. This token is stored in a .env file.

I am exposing it to the Internet (without authentication) via an Apache2 reverse proxy, with the following requirements:

1. The reverse proxy processes HTTP requests for .JPG images only. That suffix is fixed and case sensitive.

2. When a user requests https://example.com/images/(path/to/image/)image.JPG, an API request is made to http://api.example.com/a/b/(path/to/image/)image.JPG. The user is returned the response from the API, even if it's an Unauthorized error message. Hopefully it's a JPEG.

3. https://example.com serves a website, with the DocumentRoot of /var/www/html. There is no images sub-directory, but even if there was, it should be ignored.

Bumbling my way through the mod_apache docs, I am tying to make sense of how to achieve all of the above simultaneously.

The below Apache2 server configuration doesn't work, because the <Proxy> directive apparently cannot live inside the <LocationMatch> directive. But it doesn't make any sense to me where else it could go, given the above requirements.

Is it possible to achieve all of this with Apache 2.4.52? If so, what am I missing in my comprehension?

Thanks in advance!

<VirtualHost *:80>

    ServerName example.com
    
    DocumentRoot /var/www/html

    # Load environment variables from the .env file
    SetEnvIf File "^/var/www/html/.env$" ^API_BEARER_TOKEN=(.*)

    RequestHeader set Authorization "Bearer %{API_BEARER_TOKEN}e"

    <LocationMatch "^/images/[^/]+\.JPG$">
        
        <Proxy>
            AuthType Bearer
            AuthName "Bearer Token Authentication"
            Require valid-user
        </Proxy>
        
        ProxyPassMatch http://api.example.com/a/b/$1
        ProxyPassReverse http://api.example.com/a/b/

    </LocationMatch>

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =example.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

The following Apache mods are enabled:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_event_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_html_module (shared)
 proxy_http_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 xml2enc_module (shared)