By default, SOAP API calls can log in with a generic Salesforce login URL, such as https://login.salesforce.com, or your My Domain login URL, such as https://mycompany.my.salesforce.com. To further restrict access to your org, require that SOAP API logins use your My Domain login URL.
Where: This change applies to Lightning Experience and Salesforce Classic in Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.
How: This option is available through the doesApiLoginRequireOrgDomain field on the MyDomainSettings Metadata API type in API version 47.0 and later. In Winter ’22, you can enable this option from the My Domain Setup page.
From Setup, in the Quick Find box, enter My Domain, and then select My Domain. In the Policies section, click Edit. In production, select Prevent SOAP API login from https://login.salesforce.com. Or, in a sandbox, select Prevent SOAP API login from https://test.salesforce.com. Then save your changes.
Require SOAP API Calls to Log In with My Domain (salesforce.com)