Update, as we've made a significant change to the service which will allow for whitelisting (though the secret from the original response works fine, as well).
All calls coming from PlayFab will now be seen as coming from one of three IP Addresses: 34.213.208.16, 34.216.170.167, and 52.13.201.178.
PlayFab calls can come from any AWS US-West-2 IP Address, so you really can't whitelist it that way. If you're creating a Web API endpoint which will be called from Cloud Script, just use a header value to pass a shared secret, though. You can have that defined as a static value in your Cloud Script, since no client will ever be able to see that.
1 Person is following this question.