Hi -
Based on the requirements stated then deploying flexible-server into the VNET as "private access" would be correct. There is no public endpoint in this configuration.
REF https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private#private-access-vnet-integration
In the case of the App Service Web App then you need to associate it with a VNET which gives you outbound private network access (required for the flexible-server when VNET integrated/private)
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
In order to prevent public access to the web app you can deploy a private endpoint for clients to utilise. Doing this enables you private access and allows the public endpoint to be disabled https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint
App Service is also available as single-tenant service that can be added to your VNET (conceptually similar to flexible server) and that's through an ASEv3https://learn.microsoft.com/en-us/azure/app-service/environment/overview
However unless you need the single-tenancy, or the larger choice of plan scale sizes available in ASEv3 Iv2 plans (cores/memory) then regular app service plan that supports private endpoints would be fine.