I’m no security expert but somehow this seems like a bad idea. What if the user is mobile and switches IPs? Besides IP can be spoofed. For actions with side effects you don’t even need reply.
There can absolutely be caveats to this. However, I’ve had several use cases where clients want to restrict employees from using certain functionality of the software from outside of their offices. They often have a static IP address, but the ones who don’t and refuse to pay for it do have issues from time to time. This can be modified to allow a range or subnet of addresses and the ISP should be able to provide a pool. Restriction by IP Address alone is typically not secure enough and should be a compliment to proper authorization and authentication. Again, this is all very situational and the use case can be limited depending on the scope of the project.