@Joris Bijnens To add to what @Roderick Bant shared, we understand that you are looking to limit your web app to only access certain resources and also attach it to a VNet.
It sounds like you are concerned that the IP address might change. I do not see this called out in the considerations section of the document, so I do not think this is a concern. If you read something different, please let us know.
In regard to using a NSG with your web app, I do believe you will need to use the built in "access restrictions" feature (web apps own version of an NSG) of the web app as multi-tenant web apps I do not believe integrate with the standalone NSG product in Azure. Read further on access restrictions here if this is something you are interested in. (note that an App Service Environment does work with the NSG product.)
If you have further questions or concerns, please let us know.