There is a chance that the API key may get exposed and can be compromised.
We want to restrict the Stream API key usage from specific domains or sub domains.
How can we achieve this?
You cannot restrict Stream API Key by domain because the Stream API key should never be exposed to the client for reasons you shared. The right way to use it would be to call your backend which calls the Stream API and returns the result. This way the API Key is never public.