Apache2 how to limit a subdirectory to local network only

I have an Apache2 (2.4.41) server running on Ubuntu 20.04 that serves a couple of Flask web apps differentiated by sub-directory to the internet over HTTPS and a No-IP DDNS (https://mysite.noip.com/site1, /site2 etc...). I'd like to host a third flask web app (/site3 for example) on this same server but only have it accessible to the local network (192.168.1.x/site3 but not mysite.noip.net/site3), SSL won't matter as you'll only be able to reach this site via the server's local IP (192.168.1.x/site3) so running over port 80 is fine however how do I configure this within Apache2?

I can't find anything about differentiating access to websites via the subdirectory, especially with two of them (/site1-2) running externally over 443 SSL. To make things easier I could run this site3 on a different port (192.168.1.x:81/site3) I guess and not forward this through the router to the internet but when I tried this I just messed up the other working ports (80/443). My config is below, any help or ideas on where to start would be greatly appreciated!

Sites-enabled/000-default.conf:

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so

<VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>

        SSLEngine on
        SSLCertificateKeyFile /etc/apache2/ssl/#######.key
        SSLCertificateFile /etc/apache2/ssl/######.pem-chain
        #SSLCertificateChainFile /etc/apache2/ssl/######.pem
        XSendFile on
        XSendFilePath /######/######/########/

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        WSGIScriptAlias /site1 /home/#####/site1/site1.wsgi

        <Directory /home/######/site1/>
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>


        WSGIScriptAlias /site2 /home/#####/site2/site2.wsgi application-group=%{GLOBAL}

        <Directory /home/#######/site2/>
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>

apache2ctl -S:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:3)
*:443                  127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:9)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

https://httpd.apache.org/docs/2.4/howto/access.html

<RequireAll>
    Require all granted
    Require not ip 192.168.4.0/24
</RequireAll>

inside your <Directory> stanza should do the trick.

As always the Apache manual is very good and thorough documentation with plenty of examples on how to do things.