This is a major problem with server-less applications. I have once used a middle-ware server with CSRF implementation which hits the main API with API key. However, that completely kills the concept of server-less.
The only way to hide the API keys is by not sending them in the request from browser, and for that you need an extra middleware server.
Its better to use sessions then relying on API keys. In some cases using keys can't be eliminated.