This is present by some time now but people usually forget about this security necessity. You can block access to on-prem Exchange admin center by using client access policy.
New-ClientAccessRule -Name "Restrict EAC Access" -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddressesOrRanges 192.168.10.1/24 -ExceptUsernameMatchesAnyOfPatterns *something*
Don't expect EAC to bi invisible when you connect to it because of policy. You can still connect to it but when you log in it shows the following screen...