This using a reverse proxy configuration like NGINX.
However, realize that access to the REST API in all or nothing. While you can grant access to only certain sitemap URLs given users, you also have to grant access to the REST API endpoints and an inquisitive student will be able to sniff the network and discover the end points.
There is work ongoing to allow authentication and authorization but I don’t know how far they have gotten. It is not easy to implement.
Now another approach which might work for you is to set up a separate OH server for each sitemap. Then use MQTT to proxy/mirror the items that users on that one OH Server are allowed to interact with. Then use the reverse proxy to control access to each separate OH server. The users will still be able to access the full REST API for that OH, but everything on that OH instance is a proxy for the “real” ones so the amount of damage they can do will be limited.
It’s not a fully secure configuration but it does let you limit the damage that can be done by someone rooting around in the REST API.