That’s a pretty good definition of what you want.
With Apigee X, you have options.
One option is to expose your different sets of APIs (public and admin) on different networks, different load balancers. With this approach you could make it so that access to the admin APIs is possible only from systems that are on the corporate network. This is one of the key areas of flexibility cited as important for security conscious organizations. To make this happen you would use different instances, Environments, or environment groups. This topic is covered IN DETAIL in this article by Strebel.
Aside from that segregation, If you are trying to establish trust between Apigee and some upstream system, I would suggest using 2-way TLS there. If you cannot do that, then you can use a system-oriented access token. Using the IP address is probably not ideal. X-API-Gateway-Secret may also not be ideal. It should be easy to use an access token as injected by the Authentication element attached to your HttpTargetEndpoint.