as the frontend should be accessible to the internet, so users can do SSO and/or download profile, how can I limit Pritunl web interface to be served only when using FQDN and not an IP address? It is pretty simple to do with vhosts when using apache / nginx, but I cannot find something like this for the Pritunl server.
There isn’t any option in Pritunl to configure this and it shouldn’t be configured. Certain configurations including WireGuard connections will make direct HTTP connections with the servers virtual VPN IP address.
If the load balancer is configured externally to the Pritunl server this will not cause any problems. The internal requests get sent over the VPN connection and would skip the external load balancer. Attempting to modify the Pritunl web server or running web server software on the same host could cause problems with this.