Yes, I get something by myself.
For question #1, my understanding is, I have to customize the policies to nominate allowed endpoints when validate in authorizer for that token owner.
For example, if that Authorization token owner has only permission to access endpoint 1, 2, 5, this is the policy I need to generate, which allow all methods.
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/*/endpoint-1/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/*/endpoint-2/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/*/endpoint-5/*"
Remember you have to customize the methods as well, otherwise, if token owner access with method GET, you only set the policy cache to GET, then all requests from the same owner with same token for other methods (such as POST, PUT, DELETE, etc) will be refused.
So if the token owner can do only method GET/POST, the policy need be updated as below:
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/GET/endpoint-1/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/GET/endpoint-2/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/GET/endpoint-5/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/POST/endpoint-1/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/POST/endpoint-2/*"
arn:aws:execute-api:ap-southeast-2:<account_id>:<restapi_id>/dev/POST/endpoint-5/*"
There are aws limits for the policy size, so make sure it is kept in limit
This way I manage the policies is not only for request token, same for token type as well. Same solution.
For questions #2, I still don’t get answer.