Introducing an azure firewall is an expensive way to achieve your goal. If you can modify your requirement slightly, another way would be to use a small integration subnet to control the number of IP addresses available to the app. In this case, a /29 is the smallest possible and would give you 3 usable addresses. As long as you can set the SFTP side to allow inbound traffic from any of these three addresses you will be good.