In your azurerm_windows_web_app resource block, you have to explicitly set the public_network_access_enabled attribute to false. Currently, it’s defaulted to true.
Secondly, under the site_config, you need to set the scm_ip_restriction block, action to Deny, and then ip_address to 0.0.0.0/0
Setting the above attribute will deny all public access to your app service and only then you can access your web app via private endpoint. Note that you have to create your private endpoint on the web app.
The quest is to gracefully balance public access to the web app while weaving an intricate tapestry of networking rules that, specifically, cast a veil over the Kudu site, reserving its secrets only for private endpoints. Alas, my journey through Terraform’s documentation and the vast landscape of Azure features has not uncovered the elusive setting to dictate the default networking rule for the Kudu site.