What is the correct way to apply an ACL to inbound traffic on an interface?

Filtering traffic as it enters the interface means the router checks each incoming packet against the ACL before it is processed or forwarded. Attaching the ACL to the interface with the inbound direction (ip access-group <ACL> in) is the standard way to implement this on Cisco IOS. It ensures only permitted traffic is allowed to be processed by the router and forwarded to other networks. If you used the outbound direction, the ACL would affect packets leaving the interface after routing decisions, which is a different behavior. The other options don’t apply the ACL to interface ingress in this context: a global firewall filter isn’t the typical method for basic interface ACLs in IOS, and ip route-filter is used for controlling routing protocol updates, not interface traffic.