I use client certificate authentication (or mTLS) to access internal services. It requires the client device to present a digital certificate during the TLS handshake, so I don’t need to white list any IP addresses.
What about something like this: A javascript bookmarklet that fetches the html page with SRI, then turn the file into a blobURL and run. Within the html page, all resources are chained with SRI.