You should be able to configure that in Microsoft IIS in the Reverse Proxy Inbound Rules:
If you remove the ^(rest-doc/)(.*) pattern, I would expect you secured access to that endpoint.
Under environment details section of your cloud node, you can restrict the access.
Refer this for more details :
I was actually wondering the same thing, if it is possible to disable the ‘/rest-doc' access for our customers who run our application on-premises. Since the answer above is only applicable for the Mendix cloud environments, and if a customer is hosting our application on-premises, then they can just change the access restrictions.