API Access Tokens can be restricted to allow access only from specific Allowed IP Addresses. Those restrictions have been honoured by the REST API, but not by the GraphQL API — until now. We've made sure these restrictions are also applied to GraphQL requests.
Check out the API Access Token documentation and configure your tokens on the API Access Tokens page.