Yes, you can use API Gateway as a BFF. As far as I'm aware, it doesn't manage user sessions in the same way as described in this article. (I wrote it some time ago, not sure anything changed there?) Nonetheless, I agree that it is a valid way to build a BFF.

Google has Identity-Aware Proxy. Maybe that could also be an option. Duende has Duende BFF. Then there's Curity, and OAuth2Proxy. The list goes on and on... Also valid options I.M.O.

There's also the option of having someone sign in on a server-side BFF without propagating the user's token downstream. To accomplish that, there are also several solutions available.

So, I'm not sure... What are you trying to say? What am I missing?