I wanted the APIs that are hosted in Azure api management, should only be consumed by the web app hosted on same Azure tenant. APIs should not be publicly accessible, I can configure CORS so that domain pointed to my web app or forntdoor can only access those api's. Is there any other best way to achieve his functionality?
You can put all your resources in a VNET: Enable VNET connectivity using the Azure portal
Internal: The API Management gateway and developer portal are accessible only from within the virtual network via an internal load balancer. The gateway can access resources within the virtual network.