If understanding right you are looking for securing inbound traffic, you can set your web app to inbound traffic routed through your Application Gateway to your app and then enable Web Application Firewall (WAF) support on your Application Gateway.
Check this article link might be helpful in getting better picture of this: Zero to Hero with App Service, Part 6: Securing your web app
Please let us know if further query or issue remains.