Hi @alexmass,
I'll do my best to address your questions.
Security?
Both will restrict what traffic makes its way to your app service. Your app service will only respond to traffic you designated, whether it's IP or Service Endpoint
Networking? (path used by requests sent to application gateway)
Using Service Endpoint will gain advantage as the traffic request traverses the Azure backbone, see https://learn.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints#integration-with-app-service-multi-tenant. When it comes to VIP, I'm not exactly sure if there's any efficiencies, but I would error to say no. More than likely, the traffic will out to the internet and back in from a routing standpoint. You could circumvent this by using a private endpoint on the App Service.
Pricing ?
Your costs will come from the SKUs of the App Gateway and App Service. From what you've stated, I don't think you will need a private endpoint; see https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint, but there is a cost associated if you go that route.