You can use the Access Restrictions under the networking blade of your app service. You can add the IP addresses for Front Door in there and you do not need to use any Vnets etc.
the list of AFD IP Addresses are in the following ranges:-
IPv4 - 18.104.22.168/16
IPv6 - 2a01:111:2050::/44