Jose is correct on implementation. The Method Security is probably the way to go. That is done at the BO level so will cover you no matter which way someone accesses the BO. If we locked down just the REST endpoints, you are just making the minimum code to do damage two lines of code instead of an HTTP URL.
If you need to lock down a service, I’d tackle it there.
If you REALLY think you JUST need to lock down REST but leave a security hole a semi can drive through in WCF, you could look at a firewall solution with content filtering. I have not played in that area of IT Hardware in awhile so I’d defer to someone with more current domain expertise and available approaches / devices.