Why are first parties serving unauthorized API requests? If the API request is unauthorized, surely the proper response is "401 Unauthorized" and not "all the data you asked for, but then I'll find the people who helped you and get mad at them"?
The problem here is that Meta wants to plug things into the internet and then control who gets to ask for those things. This is not how the internet works, at all. If you don't want third parties accessing your APIs, lock them down.
I'm willing to bet the instagram app already signs their api requests to make sure they're coming from the app. Third party apps are reverse engineering that. If you try to send a request without those headers, it'll very likely give you a 4xx code.
You can reverse engineer it all you want, the issue is when you publish something that interacts with a remote resource in a way that the owner of that resource did not allow you to.
The problem here is that Meta wants to plug things into the internet and then control who gets to ask for those things. This is not how the internet works, at all. If you don't want third parties accessing your APIs, lock them down.