We're working to switch from Google CSE to Bing's Web Search API.
The Ocp-Apim-Subscription-Key is visible in a request header (called with an AJAX request).
How do we protect it from use by a third party?
(Note: We don't have any experience with Azure tools.)
You should not be embedding the subscription key into a client-side query. Your search queries should go from the client-> your server -> Bing server and then back the same way.
This information, although on the Image Search page, applies to all Bing Searches:
All requests must be made from a server. You may not make calls from a client.
Although there are some cases where client-side calls are acceptable, such as internal-use cases, client-side is strongly not recommended.