Can I restrict access to services when accessing HA remotely?

I would like to see if it’s possible to block certain aspects of HA when accessing remotely. For example, if I’m accessing from outside my local network, I can’t access the services for locks, but I can still access the rest of my devices.

I have a separate NGINX service performing reverse proxy to my server. From my understanding, there’s 2 options to accessing HA: WebSocket and REST. REST is easy enough to block with NGINX, but the HA frontend transmits data via WebSockets. Since there’s only 1 domain for WebSockets, it’s an all or nothing scenario (unless I can somehow read the data it’s sending and block it in NGINX). Has anyone tried setting up something like this before?