Depends on the technology being used, if you are using a SSR framework then yes, but for CSR style frontends you would need to utilize something like CORs to restrict access.
Keep in mind, if someone really wants to dig at your API endpoints it will be a never ending battle to keep them restricted, with the only “real” solution is to not make them public and require registration / authentication.