Secure an API endpoint but not JWT

I've read and reread the documentation and reviewed the copious tutorial videos but I'm still at a loss to one question:

Hypothetically, just suppose I have users and those users are interacting with my application to build survey forms for example. The user would login and would authenticate and access via JWT to build a simple survey form. the API endpoint for the survey form would be protected.

The user could then provide a link (URL) to that survey form for Joe public ( a non-logged in user) to fill in or complete said survey form.

My question is this, if the survey form is protected is there a method or anyway I can then access the survey form via a separate part of my application for a non-logged in user but still protect access to the API endpoint.

An example from bubble.io. I would have a logged in using JWT user but bubble.io provides a separate API endpoint ( generic if you like) which allows me to protect any database object.

EDIT or do i simply specify 'internal' for those field i do not want to expose to the api endpoint