Correct. You must not use the APIs from a browser because you would be exposing your secret key to the world.
So the way to do this is by using .NET as a proxy to call the REST API securely and return results.
Or fly up to NYC for my talk at the August MUG meeting and learn how to do it all in the browser without any security leaks.
Have you been able to put a blog post together on using REST to implement external page prefill?
Thanks - Aida