unfortunately if the app is public and the rest is public, you can't
However, you could pull both your app and server internal only. Then set up a proxy that only makes your app public. That way your application server is the only server that has access to the internal rest server
It is a complicated setup and will add some additional requirements when it comes to crossdomain access, etc, but it can be made to work