Feature request - Add Cognito into the stack too so you can programatically verify User Pools

Yeah could totally do that. At the moment I've just secured it using API Gateway API Keys.

The way I envisioned this api would be used is it would be a private api that would be available to other services in an application.. So your public facing REST or Graphql API would just consume this.

Cognito actually has SMS MFA and I would recommend using that for a production app if you can.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-text-message.html