It’s difficult to find where these bad API keys are coming from. The only suggestion is to enable audit, which is overkill and uses a lot of resources logging 99% of the audit events that are good.
If the x_forwarded_for and source_ip fields could be added, tracking down bad requests would be much easier with much less data logged.