Yes, you can:
If you have a wildcard cert (requires building Caddy with a plugin for your DNS provider to solve the ACME DNS challenge), then you can use that pattern to set up your sites.
You can use the remote_ip matcher to reject requests that are coming from IP addresses that are non-private (and use abort to close the connections):