Answering my own question. It looks like you have access to an auth0 object in the rule that already has needed access to updating metadata, so you could store the ip in it during the rule, and then check it at the beginning of the rule for the last login ip…
https://auth0.com/docs/rules/current/metadata-in-rules#updating-app_metadata