"In short, would it be the same to configure only the IP of the private endpoint in the IP access list vs disable public access?"
The access list doesn't apply to private IPs, only to public IP (internet). Relevant part from the docs:
"If you use PrivateLink, note that IP access lists apply only to requests over the internet (public IP addresses). Private IP addresses from PrivateLink traffic cannot be blocked by IP access lists. To block specific private IP addresses from PrivateLink traffic, use AWS Network Firewall."
A rule of thumb: public IPs can only connect to public endpoints, private IPs can only connect to private endpoints.
The most "secure" way is only accessing the workspace through Private Link (your private endpoint), but keep in mind this is only as secure as your private network. You should identify all sources that need access to your workspace (end users, devops agents, SCIM services, other services) and try to inject them into your private network as much as possible.
There are cases when you might still need to expose your public endpoint, because some services/traffic only run from internet (for instance AAD SCIM provisioning or (public) devops build agents). For such cases, you still need to apply the access list to restrict access as much as possible (but keep in mind that you often don't control these IPs, so they may change from time-to-time).