Ideally, I'd like to lock down my ALB so that it can only be accessed by API Gateway.
I've looked into whether I can associate API gateway with an Inbound Rule - however, I have found that API Gateway cannot be associated with an IP address, or a security group. I've also looked into an Internal facing ALB, but I've been unable to get these working as VPC link only supports NLB.
Any help will be greatly appreciated - I've been looking in the Gateway Settings but cannot find this option.
What is the best way to approach this so that the ALB is as restricted as possible?
The API Gateway doesn't have a static IP and ALBs don't offer any authentication other than Cognito User Pools at this moment. Because of that I would say your best option is to use a VPC link with Network Load Balancer as you propose and tunnel the request via the NLB to your ALB.
Alternatively you could have a Lambda inside your VPC invoke the ALB but that would be a lot slower, but cheaper for low volumes because you skip the NLB.