As @Evan linked in his comment, you can detect XmlHttpRequest requests by looking for HTTP_X_REQUESTED_WITH in $_SERVER. But this value comes from a header send by the client. As with any information from the user though, this can be spoofed.
There's really no way to block non-XmlHttpRequest in a practical way. If it's really important that you block the API, you can issue a unique key to the Javascript (and store it in the session) upon a request to the main page. It is passed in the XmlHttpRequest, and when that page sees it and validates it, it gives access. But even that unique key can be scraped from the page.
