Generally speaking you could put a block pattern (like a route pattern) in the partition which is in the incoming calling search space of the H323 trunk from the PSTN GW to CUCM.
If you would like to block the call in the GW you may use there COR. you need separate dial-peer for this number as incoming called number and after that you have to put some restrictions on this dial-peer and on the other pointing H323 trunk to CUCM.
This is a kind of static solution and in some cases may not work for you.
The ingress gateway is somewhat irrelevant to the conversation. I say this because the ingress gateway is unaware of a device's location. So either you allow all or no calls to the endpoint.
Although I am not a fan of this recommendation, you may be able to use CAC in conjuction with device mobility to deny calls to the softclient. If the phone registers and is assigned a device mobility group (that only IPC will register to), you could set the ingress gateway location to the device mobility location to have 0 bandwidth. Set the device mobility location to unlimited BW to the other internal phones and internal phone to unlimited, Calls from GW to phone will have no BW and fail while IPC to phones or phones to IPD.