A good start point would be this:
https://enterprise.arcgis.com/en/server/11.1/administer/windows/restricting-cross-domain-requests-to...
but there are some things that should be considered. One it’s a global setting, so if you have services that are not subject to licensing restrictions then they will be affected as well.
the other thing is that I think it only works with JSAPI based apps. So native apps and Pro may not be limited, but it would be worth testing.
if you have a web application firewall then you may be able to create custom rules there, but this can often cause wider issues unless someone truly understands what is happening in terms of requests to the server.
another approach I think I’ve seen is to secure the web service. Add it as an item into the portal with credentials. Then add the item to the map application. The app can be unsecured, and when it references the item the Enterprise Portal injects creds. Sorry I haven’t got time to test this, and it was many years ago that I saw something like this so I may be wrong.
I hope something above gets you close.
Scott Tansley
https://www.linkedin.com/in/scotttansley/