You can edit your AppService network restrictions to only allow the Front Door service tag, and restrict access to only your Front Door's origin ID.
refer - https://www.reddit.com/r/AZURE/comments/o04dx0/azure_front_door_connecting_to_app_service_in_a/
Azure Private Link enables you to access Azure PaaS Services and Azure hosted services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet.
Azure Front Door Premium SKU can connect to your origin via private link service. Your applications can be hosted in your private VNet or behind a PaaS service such as Web App and Storage Account, removing the need for your origin to be publically accessible.
Note- Azure Front Door Standard/Premium (Preview) is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads.
Please refer below link for more details
https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/concept-private-link
If the Answer is helpful, please click Accept Answer
and up-vote, this can be beneficial to other community members.