Yeah you’d use a reverse proxy. I use NGINX but you can do the same with Apache. Just watch the concurrent connections with Apache — use MTM Worker mode. My site is on its own domain, the API on a subdomain. Files can go wherever, it doesn’t have to be in the theme directory — or completely outside of the Wordpress install if you want.
Not a lot of gotchas, but I prefer PM2 for managing my Node app instances. It’s going on 3 months strong now.