I think you have some confusion that I want to help you clear up.

By the very fact that you are talking about “making Ajax calls” you are talking about your application making remote requests to your server. Even if your website is served from the same domain you are making a remote request.

I only want requests from the same server to be allowed!

Therein lies the problem. You are not talking about making a request from server-to-server. You are talking about making a request from client-to-server (Ajax), so you cannot use IP restrictions (unless you know the IP address of every client that will access your site).

Restricting Ajax requests does not need to be any different than restricting other requests. How do you keep unauthorized users from accessing “normal” web pages? Typically you would have the user authenticate, create a user session on the server, pass a session cookie back tot he client that is then submitted on every request, right? All that stuff works for Ajax requests too.

If your API is exposed on the internet there is nothing you can do to stop others from trying to make requests against it (again, unless you know all of the IPs of allowed clients). So you have to have server-side control in place to authorize remote calls from your allowed clients.

Oh, and having TLS in place is a step in the right direction. I am always amazed by the number of developers that think they can do without TLS. But TLS alone is not enough.