Create distinct roles with specific permissions to call untrusted web services.
Client services authenticate as one of these roles when calling an untrusted web service.
When using an externalized (Nginx) forwarder and gatekeeper, a webservice client can send a Conjur access token for its own identity. The client doesn't have to worry about the gatekeeper misusing the access token,