If I were to create two separate projects:
The MVC project would use HttpClient to talk to the Web API.
If this is the case and I wanted to use the built in ASP.NET Identity should I be doing it through the Web API or just keep it as part of the MVC project?
From the description of your question, it seems like you will end up protecting only 1 layer of your app.
Ideally, you would protect both. On the MVC application side you would want to do user authentication
with ASPNET Identity (establish who wants to get information) and on the WebAPI side you would want to do resource authentication
or client authentication
to check if the caller of the API (app x) actually has the rights to call the API. The latter cannot be done through ASPNET identity. You would want something like Identity Server 4 or Azure B2C like products to achieve that.
Now, you could keep the API open & internal and just call it from HTTPClient in the MVC APP, but, I wouldn't do that if I were you. The only reason I can think of why you would want an API is, so that you can later use it from other apps, so, keeping the API open like that is not advisable.
If I were in your shoes, I would want to have a security framework around my applications and then proceed with giving applications the required access on the API to carry out needed operations.