CAF Landing zone and multi region

Hi folks !

I'm thinking about implementing CAF with landing zones with the following needs...

• The aim of the architecture is to provide customers an access to some Apis ( Apis will be exposed like that : customer1.mydomain.tld/api/v1/xxxx, customer2.mydomain.tld/api/v1/xxxx )
• Customers can consume their apis by loggin on their respective front apps or directly using custom HTTP requests
• Some customers would probably be located in other region (EU, US, Asia, ...)

In case of optimizing the infrastructure for FinOps, i'm thinking about deploying APIM / FrontDoor (with WAF) / Azure Firewall in a "shared" or "connectivity" named subscription and so resources would be mutualized.

Each customer would have his propper subscription landing zone and in them (app service, aks or others workloads)
Each customer landing zone vnet would be peered with the connectivity subscription and traffic will be routed to azure firewall (hub and spoke) by using UDRs in each subscription.

My questions are :

• Would it be possible to have the following nework flow ?
  Customer --> Internet -->FrontDoor(with multiple location corresponding to the closest endpoint of the customer)-->APIM--> Susbcription of customer 1 or Customer 2 or customer X ?
• In order to isolate the apis of each customers, i think only the subscriptionKey of APIM apis would do the trick and so only the concerned customer can consume their apis.

Thanks for your help and ideas :)