Frappe Framework as Backend API is possible.
General practice with frappe frontends is packing static assets, service workers, login experience and all other things as frappe www route. That means the frontend and backend is served through same site, it is using cookies and session created on the same domain. Packing the js/css/html in www pages will only allow you to serve frontend tied with the backend. Check frappe/hrms, frappe/helpdesk.
If you are looking to serve the frontend from separate domain/sub-domain altogether and just expose /api/* routes for frappe site’s domain so no one can visit /desk or /app on frappe site, you will need something like following with oauth2/oidc.
Optionally you can expose full desk/app view under your VPN for your admins.
Someone shared their achievement with this type of setup here, Issues with OAuth Bearer Token Validation When Using Keycloak for API Access - #3 by naikun