Thanks for reaching out to Q&A.
You could use ip-filter policy to allow or denies calls from specific IP addresses and/or address ranges. Or you could front API Management with Azure Front Door as explained in this article, or alternatively with Application Gateway and use a Web Access Firewall (WAF) with a custom rule to allow or deny calls from specific geographies. To create a geo-filtering custom rule, select Geo-location as the Match Type, and then select the country you want to allow/block from your application.
If you use the ip-filter policy, so it's your responsibility to explicitly allow or deny ip address ranges, included any Front Door and/or Application Gateway health probe. If you use a WAF policy, this refers to the incoming calls to Front Door or Application Gateway. When using Front Door or Application Gateway in front of APIM you should not invoke APIM directly, but only through Front Door or App Gateway. This way the WAF custom rule could check if calls come from allowed
I hope this helps!
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.