Is it possible to hide INSTANCE-ID in WMS request, so that its not public and visible to everyone, who use application, where the WMS service is used? What would be the best way to do it?
The limitations of OGC standard do actually not make it feasible to hide the instance ID.
What we suggest you do is to use Sentinel Hub API instead of OGC API:
This supports proper token based authentication so it is much more difficult to “steal” the connection.
For our enterprise customers we do even provide a secure handshake, so that you do not reveal any credentials. You can check how this is done on Sentinel Playground.