Additionally to the username/password used when doing API calls to our tenant API, is it possible to restrict receiving API calls from specific source IPs?
Not in shared cloud environments. On dedicated/private instances you might change the loadbalancer configuration only accepting requests from specific IP-ranges as this is a infrastructure configuration and cannot be configured on tenant level.