When associating an EC2 instance with a IAM role via "aws ec2 associate-iam-instance-profile" it seems that all Linux users on the instance can make API calls via those credentials. Is there a way to leverage the IAM instance profile but restrict access to specific users within the OS?
No, this is not possible.
The EC2 instance metadata is available to anyone who can access the URL, which typically means any user and any app on the computer.
It sounds like you will need to store credentials against each application, by using a credentials file.