A fintech company operates a serverless web API that is publicly accessible and built using Amazon API Gateway with AWS Lambda on the backend. Recently, the company observed a sharp increase in traffic caused by automated botnets and fraudulent requests, which are disrupting performance and incurring additional costs. A solutions architect has been asked to implement measures to prevent unauthorized access while still allowing legitimate users to use the service without friction. What combination of actions should the architect take to address this problem effectively?