I have disabled editing for anons and use various anti-spam protections.
And I use $wgEnableWriteAPI = true because ajax watching is nice.
I find it somehow dangerous to have API actions like createaccount. I disabled it manually now in the core, but a proper way might be better?
Also, how does that work together with Extension:ConfirmEdit?
The recommended way to disable API account creation (or any API action module) is to use $wgAPIModules['createaccount'] = 'ApiDisabled'; in LocalSettings.php. See API:Restricting API usage.
API account creations still have to solve the captcha. I don't know how it works with ReCaptcha, but with FancyCaptcha the API gives the client a URL to the captcha image, and the client has to respond with the captcha solution in a subsequent API request.
For reCaptcha (or in general any other CAPTCHA module) you should get all required data to rebuild the CAPTCHA form yourself to solve it (in reCaptcha e.g. the public key). You can send the response (of the user) to the api and it should work. But i never tested it, nor i used it :/
