Unfortunately, not that I know of. Currently, as you said you can you either use HTTP Basic Auth or attach an API key as query parameter (which is also very unsecure).
Is it just an HTTP header that has to be attached to every request? Could you please create a ticket in the enrich bugtracker, explaining the desired flow of the authentication.
Maybe there’s an alternative, like proxy webserver in your subnet which receives unautheticated request from enrich EC2 node and then translates it to your original server? Feels very hacky, but best I can think of at the moment.