Maybe proxy your Foursquare API requests via https://www.eliotand.me/airbnb-poster/search or a similar API endpoint you'd create. Disallow CORS on that new API endpoint. You can keep the API call signature but remove the client ID and secret.
On your backend you can then make those Foursquare API requests and add the client ID and secret to the request.
I built a microservice that does something similar[0] for Mailchimp. They have an API that requires a secret key, but we didn't want to keep a server running for it (and obviously didn't want anyone on the internet playing with our key). So I set up a little python service that serves a page and 'proxies' the API to the end user.
You could also do this simply by running on Azure Functions (free consumption plan). All you need to deploy is a simple proxies.json, see [1].
On the AWS side it appears you can entirely use API Gateway. Here [2] is a Swagger 2.0 definition file I just wrote which upon import creates an API endpoint that should proxy requests to an external API while adding your secret credentials.
Maybe proxy your Foursquare API requests via https://www.eliotand.me/airbnb-poster/search or a similar API endpoint you'd create. Disallow CORS on that new API endpoint. You can keep the API call signature but remove the client ID and secret.
On your backend you can then make those Foursquare API requests and add the client ID and secret to the request.