security – How to limit API endpoints deployed in AWS Application Load Balancer?

I've created a webapi application that includes a few modules such as an account, a user, and so on. and which has at least 10 endpoints.

I have it deployed in EC2 instances and configured in an application load balancer with a domain in the cloud. The authentication used is oauth2 (carrier token)

All work properly and can access using the domain address and the load balancer address. As this can access from anywhere and can register to the application with the help of the recording API. So, how can I limit that?

How can I restrict this public access? What is the standard practice for this deployment?