What is the best way to restrict access to an Application Load Balancer?

Use WAF to verify the custom HTTP Header value set at API GW

Inject a custom HTTP header at the Integration Request of a API GW HTTP Integration method. Use the static value as explained in Amazon API Gateway API request and response data mapping reference.

'STATIC_VALUE'. The STATIC_VALUE is a string literal and must be enclosed within a pair of single quotes.

As in the case with AWS documentations, it is confusing if we should use the "integration.request.header." format. If setting up in the AWS console, no need to type "integration.request.header." Just type the header name only. Make sure the header value is single quoted

However, when using a tool like CDK or CFN, then we need to use the "integration.request.header." part.

cdk_api_method: aws_apigateway.Method = cdk_api_resource.add_method(
    http_method="post",
    integration=aws_apigateway.HttpIntegration(
        url=url,
        http_method="post",
        proxy=True,
        options=aws_apigateway.IntegrationOptions(
            request_parameters={
                "integration.request.header.{}".format(HTTP_HEADER_X_VALIDATION_CLIENT_NAME): "'{}'".format(HTTP_HEADER_X_VALIDATION_CLIENT_VALUE)
            }
        )
    )
)

Setup up WAF to verify the HTTP header value and associate the ALB to WAF ACL.

# https://github.com/aws-samples/wafv2-json-yaml-samples/blob/master/JSON/rule-001.json
aws_wafv2.CfnWebACL.RuleProperty(
    name='header-x-validation-client',
    action=aws_wafv2.CfnWebACL.RuleActionProperty(
        allow={}
    ),
    statement=aws_wafv2.CfnWebACL.StatementOneProperty(
        byte_match_statement=aws_wafv2.CfnWebACL.ByteMatchStatementProperty(
            field_to_match=aws_wafv2.CfnWebACL.FieldToMatchProperty(
                single_header={
                  "Name": HTTP_HEADER_X_VALIDATION_CLIENT_NAME
                }
            ),
            positional_constraint="EXACTLY",
            search_string=HTTP_HEADER_X_VALIDATION_CLIENT_VALUE,
            text_transformations=[
                aws_wafv2.CfnWebACL.TextTransformationProperty(
                    priority=0,
                    type="NONE"
                )
            ]
        )
    ),
    visibility_config=aws_wafv2.CfnWebACL.VisibilityConfigProperty(
        sampled_requests_enabled=True,
        cloud_watch_metrics_enabled=True,
        metric_name='waf-rule-header-x-validation-client'
    ),
    priority=0
)

The API Gateway doesn't have a static IP and ALBs don't offer any authentication other than Cognito User Pools at this moment. Because of that I would say your best option is to use a VPC link with Network Load Balancer as you propose and tunnel the request via the NLB to your ALB.

Alternatively you could have a Lambda inside your VPC invoke the ALB but that would be a lot slower, but cheaper for low volumes because you skip the NLB.