How would you go about restricting access to a whitelist of origins? Would you compare the origin header socket.request['origin'] on connection start, and close it if there's no match?

Basically yes - I'd check handshake.origin in the onopen block and close the connection with an appropriate close code if the origin was not valid.