I would like to restrict access to my log drain to only allow Heroku to send logs.
Unfortunately, it is practically impossible.
As of writing this, Heroku's Logplex forwards logs through infrastructure running in AWS's us-east-1 region. The log drain sees some of the IP addresses assigned for AWS's EC2 instances in the region as the source IP addresses.
For customers who have Shield Private Spaces, Private Space Logging is available. For an app in the Shield Private Space with Private Space Logging enabled, router logs and app logs are directly sent from the server where the dyno is. The log drain sees some of the IP addresses assigned for AWS's EC2 instances for the region where the Shield Private Space is as the source IP addresses, in addition to logs around the platform API which are sent from those in us-east-1.