IP address whitelisting/blacklisting is effective and works great at the journey level. However, this method is not sufficient for controlling access to non-journey APIs. To the best of my knowledge at the time of this response, ForgeRock IDCloud does not currently offer the capability to restrict access to specific domains or sub-domains based on IP addresses.
It’s worth noting that I am under the impression that this is a feature ForgeRock may be considering. I recommend submitting a support ticket to obtain an official statement and any potential implementation schedules from ForgeRock.