Hey there.
Surely some DEBUG level logs will reveal to you each API call that the scanner makes (add -X under args), and you could derive the list of allowed endpoints from there.
And, these endpoints could change from SonarQube version to SonarQube version and shouldn’t be considered as an API (if they change, we aren’t going to make noise about it).
Typically when an organization has such requirements and doesn’t want to move their SonarQube instance the cloud, we would suggest using self-hosted runners.