Appropriate way to limit host port in http request

What is the appropriate way to limit requests based on the request http port?

I have an ingress gateway configured with virtual host matching on port 8080:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: itaapp-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
    servers:
  - port:
    number: 8080
    name: http
    protocol: HTTP
  hosts:
  - "itaapp.example.com"
  ---
  apiVersion: networking.istio.io/v1alpha3 
  kind: VirtualService
  metadata:
     name: itaapp
  spec:
    hosts:
     - "itaapp.example.com"
   gateways:
     - itaapp-gateway
   http:
   - match:
     - port: 8080
     - uri:
           prefix: /itaapp
   route:
    - destination:
        host: itaapp
        port:
        number: 8080

results in requests being possible from (note 7070 not 8080):

curl -HHost:itaapp.example.com:7070 http://172.16.112.183:32095/itaapp/home.html

I am running:

minikube version: v1.13.0

istioctl version
client version: 1.7.2
control plane version: 1.7.2
data plane version: 1.7.2 (2 proxies)

kubectl version
Client Version: version.Info{Major:“1”, Minor:“19”, GitVersion:“v1.19.2”, GitCommit:“f5743093fd1c663cb0cbc89748f730662345d44d”, GitTreeState:“clean”, BuildDate:“2020-09-16T13:41:02Z”, GoVersion:“go1.15”, Compiler:“gc”, Platform:“darwin/amd64”}
Server Version: version.Info{Major:“1”, Minor:“19”, GitVersion:“v1.19.0”, GitCommit:“e19964183377d0ec2052d1f1fa930c4d7575bd50”, GitTreeState:“clean”, BuildDate:“2020-08-26T14:23:04Z”, GoVersion:“go1.15”, Compiler:“gc”, Platform:“linux/amd64”}

Many thanks