Hi Jeff,
Assuming that you are running API Gateway 9.2 with OTK 4.1, here is the full documentation on the Apply Rate Limit Assertion. As stated, all OTK endpoint services are modifiable and you can add this assertion to the policy. However, services are overwritten during an upgrade. If you have customized a service, make a copy to save your customizations, upgrade, then copy your customizations into the newly upgraded service. Also be aware that OAuth 1.0 support was dropped in OTK 4.2. Hope that helps.
Simon