@Mohsen Akhavan , please go through the inline comments,
1.Regarding my research, In my opinion, I should add two Virtual networks and create two separate zones. Only APP services can access vNet1 services.
--> You can avoid splitting the networks here by deploying Private link between App Service and SQL/Storage.
2.Add an Azure Firewall to add limit IP rule for accessing Virtual machine to APP service 1 and other limitation
--> You don't deploy a Azure Firewall here just for the purpose of allowing the whitelisted IP's. Instead, you can utilize the access restriction feature in Azure App Service.
3.Add an Azure Application gateway for using WAF.
--> If you are looking to remove the public access for App Service then try Azure Front door Premium to connect your webapp origin with private link.
----------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.