If you do not own the REST API's, your responsibility ends with them

You need tests that check if your application calls the API under your control correctly. Therefore, use the actual application with the actual service (the one you control) but calling mocked services (the ones you don't control).

So...

1. Use canned data for the services you don't control, pipe that data into your actual service and then use that from your application.
2. This should be a very broad test to simply check if calls from your application go through to the service. At this point you should already have thoroughly tested your application with the responses your service might return and you should have thoroughly tested your service with the responses the services you can't control might return. All of this preferably automated.
3. Depends on the technology used, which might not make this the best website for that question.

If you do not own the REST API's, your responsibility ends with them

You need tests that check if your application calls the API under your control correctly. Therefore, use the actual application with the actual service (the one you control) but calling mocked services (the ones you don't control).

So...

1. Use canned data for the services you don't control, pipe that data into your actual service and then use that from your application.
2. This should be a very broad test to simply check if calls from your application go through to the service. At this point you should already have thoroughly tested your application with the responses your service might return and you should have thoroughly tested your service with the responses the services you can't control might return. All of this preferably automated. Depending on the amount of releases you do it might be easier to test this manually just prior to release.
3. Depends on the technology used, which might not make this the best website for that question.