The CloudMD platform team needs to secure their REST API, which is served from EC2 instances behind an ALB and fronted by CloudFront. The EC2 instances are in an Auto Scaling group and private subnets, with the ALB in public subnets and acting as the sole CloudFront origin. Which solution should a solutions architect recommend to enhance the origin security?