Closing the loop here:
- limited API keys did not work at all with the REST API
- the REST API has been discontinued in TrueNAS 25 (see API Reference | TrueNAS Documentation Hub)
- they worked with the websocket API, using the command below
- limited API keys created like this have been discontinued in TrueNAS >= 25 in favor of limited accounts with user-linked API keys.
From the documentation (bold is mine)
Existing API keys created via the TrueNAS API (not UI or TrueCommand) that specify an allow list with white-listed API methods are revoked upon upgrade because there is no clean way to migrate to the new system. Administrators should create a service account (a user account for this particular purpose), define desired access rights for this service account, generate a new user-linked API key, and distribute it to the API client.
For TrueNAS < 25, this command allowed me to limit an API key to only lock and unlock datasets
midclt call api_key.update <KEY_ID> '{"allowlist": [{"method": "GET","resource": "pool"},{"method": "*","resource": "pool.dataset.unlock"},{"method": "*", "resource": "pool.dataset.lock"}]}'