This seems like common sense, no?
Hindsight is 20/20. As seen in the post, there’s not that many APIs that don’t just blindly redirect HTTP to HTTPS since it’s sort of the default web server behaviour nowadays.
Probably a non-issue in most cases since the URLs are usually set by developers but of course mistakes happen and it absolutely makes sense to not redirect HTTP for APIs and even invalidate any token used over HTTP.
Can confirm this works, removed my tablet screen with my 3D printer.