A more accurate depiction for us is a separation of our public facing website, which is more for marketing, from our backend, logged in customer website, which is what I'd consider our actual application. A few endpoints carry over such as login, logout, forgot password, registration, and contact/support.
Yeah, that's absolutely the right way to do it. So it's less "API-first", and more "API-first-unless-we-want-it-fast". =)