@Krishnan Thanks for reaching out. Yes, setting up Azure APIM in a VNET external mode and configuring NSG rules to only allow traffic from the Cloudflare IP range will restrict access to both the custom domain and the built-in domain.
When you configure your API Management instance to use the VNET external mode, it will only be accessible through the VNET subnet that you associate with it. This means that traffic to both the custom domain and the built-in domain will be routed through the VNET subnet and subject to the NSG rules that you configure.
Therefore, if you configure the NSG rules to only allow traffic from the Cloudflare IP range, all traffic to both the custom domain and the built-in domain will be restricted to the Cloudflare IP range.
do let me know incase of further queries, I would be happy to assist you.