restrict external services using assigned\delegated api permissions to single files

Try this:

1.    Register the app in Azure AD and request the Sites.Selected or *.SelectedOperations.Selected scope.
2.    Grant admin consent for the scope.
3.    Assign permissions to specific objects using Microsoft Graph: 
o    Use the /sites/{site-id}/permissions endpoint to grant the app access.
o    You can now target lists, list items, folders, or files instead of just the site.
4.    Operations are limited to what you assign. If you only grant read on one file, the app cannot read anything else in the site.