If you’d want to allow only one or multiple IP address(es) to access the wp-login.php page adn block everyone else from accessing it, I’d suggest you to create a WAF rule where:
That way, only your public IP (or VPN IP?) is allowed while everyone else is blocked if they try to access wp-login.php page.
Furthermore, you don’t want to block the “wp-admin” and anything below it since WordPress themes, plugins, etc. uses resources (JS and CSS files) and has Ajax requests through it. If you’d block “wp-admin”, your Website would experience crashes and bugs, not working as expected, etc.
Otherwise, a better way would be to use Cloudflare Access in such case.
Great step-by-step tutorial how to configure it at the articles from below:
Other suggestion: