WP-API: how do I allow authenticated clients only?

I set up an OAuth client for WP-API following the instructions for WP-API/OAuth1 on github.

I was disappointed to realise afterwards that all of the site’s content remains available over the API, including all sorts of not-really-public metadata like user registration dates. I don’t want this.

How do I restrict the JSON API to allow OAuth clients only?

This is how I did it, but I feel it could be better. For one thing, this results in HTTP 500… 403 would be preferable

add_filter( 'json_authentication_errors', function( $authenticated ) {
    if( !$authenticated ) {
        return new WP_Error('Access Denied');
    }
}, 99 );

(I understand this’ll work for Basic Auth too)