I'd like to restrict example.com/app/* (the backend for business users) to specific IP addresses (basically my LAN or VPN'd into the LAN), while if the destination is example.com/'anything-but-app'* (the website) can accept connections from any IP address.

These are two rules in fact. Do you really need both of them?

Assuming it is sufficient to restrict access to example.com/app/*, you can do it this way:

In Firewall > Aliases create an alias for the allowed networks, say AllowedNets.

Then create an ACL, call it "AllowedNets", "Source IP matches IP or Aliases", check "Not" and state AllowedNets as value.

If you also need to limit the rule to the certain host create an "host matches" ACL and put example.com into the value box. Call it MyHost.

Add an ACL, say "MyPath", "Path starts with" "/app/".

Create an action "http-request deny", in the condition ACL box insert "MyHost MyPath AllowedNets" (all the ACL you've created before, separated by spaces).