As far as I read the Telegram Bot API's docs, Telegram do not limit the calls to your webhook callback in any way.
I am creating a Telegram Bot that will be available only for groups and channels that I will whitelist.
I can filter out the messages I get in my webhook callback. However, a malicious user can add my bot to a thousand big groups and will possibly result in denial of service for all other users.
Even if Telegram have implemented some rate limiting such user actions may still result in denial of service for all other users.
How can I specify the groups and the channels a Telegram bot can be added to.
That feature does not exist. Either you allow all or none.
In addition to filtering, you could use leaveChat to immediately leave groups that are not on your whitelist.
And there is privacy mode which could make it harder for a malicious user.