This snippet for Apache 2.4 forbids access to xmlrpc.php by default and then adds exceptions for specific sites. The sites that get an exception are specified using the Directory directive.
# Forbid access to xmlrpc.php globally at server level
<Files "xmlrpc.php">
Require all denied
</Files>
# Add exception for a site that needs XML-RPC
<Directory "/web/site-1/public">
<Files "xmlrpc.php">
Require all granted
</Files>
</Directory>
# Add exception for a second site that needs XML-RPC
<Directory "/web/site-2/public">
<Files "xmlrpc.php">
Require all granted
</Files>
</Directory>
Documentation: httpd.apache.org/docs/2.4/mod/core