At the end you say to use local validation in the API gateway and "if" a particular API requires, then do the remote. Are you implying there are cases the resource server does not need to do any validation at all if the gateway already handles it?
Yeah, super context dependent of course, but imagine a read-only API method for returning the user's rewards points balance. Not terribly sensitive info, not likely to change often. The gateway validation is likely good enough.