There are numerous online resources which provide JavaScript APIs to access their services. To be more clear, I will base my question on the example of MapBox, but this applies well to many other services in various domains.
When someone wants to use such a service in a web application (like the map imagery from MapBox for example), they typically need to Register/Sign Up and obtain an access token to access the service.
Now, if I would use the API from the server side - there is no issue: I know my token is stored securely somewhere on the server and is only "exposed" upon communication between my server and the service provider. However, in case of a JavaScript API (for example if I use Leaflet to render a map from MapBox), I am supposed to have my access token in a JavaScript which is exposed to the user's web browser - and so it makes it extremely easy to find someone's access token. In my example, simply going to any website using Leaflet and opening "Dev Tools" in Firefox reveals the token they use in a minute of attentive reading of their JavaScript code.
This token however, as for me, should be considered as a very secure data - service usage is tracked based on the authentication this token provides. If you pay for the service based on its usage it becomes very critical, but even if you don't (like, if you use a Free/Starter/Non Paid plan) - service usage is limited and I'd like to be sure it is only me who uses it.
Clearly, there are strategies like IP/domain filtering by service provider, for example, but it doesn't seem that all service providers support this - for example, MapBox doesn't seem to (or I didn't find it). Or, ultimately, I can proxy the service via my web server, but this is super heavy.
Given all that - is there a way to secure the access token used by a JavaScript API to access an external service, provided that JavaScript is executed in a user's browser?