How to disable an access to the Application Server by web GUI

I am not aware of way to do this via configuration. I would use an application-level firewall and filter everything that wasn’t prefixed by /api.

Of course, anything that can be done via the UI can be done via the API, but it would take a little more work on someone’s part to stand up the UI somewhere else.