Hi Andrew, currently I dont have acces to a laptop, so will keep it short and review the status of Your question tomorrow.
In the Mx cloud you can configure access restrition profiles based on a CA. If you link that to the endpoint of the api, the Mx infrastructure will require a client certificate to be provided signed by that CA. When you do so, an additional http header will be provided indicating the used certificate (Common Name) on which you can develop custom authentication in your API.
Hope this give a start!