I would strongly recommend against using IP ACLs to "... verify the source IP of the request to prevent acknowledging webhooks from unknown and potentially malicious servers."
You should validate that the request is signed correctly, and reject it if not. An IP ACL can be a useful "remove some of the noise" tool, but no more than that.
> You should validate that the request is signed correctly
I agree with you here, but wondering what you see the benefit of per-app PKI is, versus signing all webhooks with the same cert. Is it to prevent having to do a key rotation that would impact every webhook consumer?
If you specify one public key for all endpoints, It means all consumers can verify each other’s webhook data which is not what you want. You want each consumer to be able to verify only webhooks intended for them and fail otherwise.
We wrote a detailed guide on generating and rolling public key/secrets for your endpoints here [1]
You should validate that the request is signed correctly, and reject it if not. An IP ACL can be a useful "remove some of the noise" tool, but no more than that.
For example, Discord's webhook implementation has you verify the incoming request against an app-specific (your app; not all apps) public key: https://discord.com/developers/docs/interactions/receiving-a... — this is really the right approach to this.