SharePoint App Only authentication

Which service handles the authentication for SharePoint app only? Is that service completely different from Azure AD?

A custom solution at our org is using Azure AD App with Sites.FullControl.All permission. This AAD App is also given SharePoint App-Only full control rights. We are planning to apply the newly released Workload Identities Conditional Access Policy to restrict the IPs the app can connect from. My question is, will the SharePoint App-Only auth method respect the CAP or that auth method is handled by a different service and as such will remain unsecure.