You can restrict API access from Internet but you need a Private endpoint to access the API Management via VNET peering which is not possible in Basic Tier.
I would recommend you to upgrade the tier to Premium where you get private API endpoint which is not accessible from Internet and only via Private IPs.
To restrict access from Internet, use the policy which is mentioned over here.