You have two options. The "easy" option is to remove the ZAC binding and go back to the older style of deploying the ZAC in a standalone or docker-based deployment.
The better option is to split the management API away from the internet entirely, taking the ZAC along with it. It's certainly more important to have the management API off the internet than ZAC imo. The ZAC uses the management API to configure the overlay, it's a UI on top of that API. There are numerous forum posts on how to split the managment API as well as a video from a couple years back.
- Making ZAC dark - #23 by TheLumberjack
- https://www.youtube.com/watch?v=FI4byEDg344
- https://www.youtube.com/watch?v=FikxZtWIQKM
Hope that helps