Well, you can use both. You can also use the security gateway for accessing the API.
For Dynatrace Managed the 443 is just proxied by NGINX to the dynatrace server itself. It will also handle load-balancing in the cluster.
The 8443 is the dynatrace server process itself.
It is also possible to use the security gateway to call the Environment API.