We found another answer. We followed directions here, just doing it for EWS: https://www.yshvili.com/disable-external-access-to-ecp-exchange-2019-server-2019/
Basically, we added the IP Address and Domain Restrictions role on the Exchange server. Then we went into IIS. Under the Default Web Site and Exchange Back End sections, we changed the basic Feature Settings and added specific Allow entries.