you try to install this module

pip install pyseccomp
import pyseccomp

You could turn your python scripts into windows executables using py2exe. That way it would be treated the same way you restrict other system binary. Be aware that it is possible to reverse-engineer by "uncompiling" it, showing the script functions and all. But as your question in only about enforcing execution authorization, i think that it will fulfill your need.

How can I implement secure connection between client and my python server? I guess I could use SSH or SSL, but which one will be better suited for the job? And If I choose SSH then wouldn't it interfere with SSH login service I use to manage my (whole) server?

If it is only you that will be connecting to the server, I would secure the whole process using a VPN.

Is opening multiple ports very insecure? What kind of attacks could it bring on me? How can I prevent them?

The ports are only as secure as the services listening on them. Opening multiple unneeded ports serve to increase the attack surface of your server, as there are many more points of failure possible. Disable all unused services on your server.

Do you have any other tips regarding own server implementation?

Keep your server up to date. This involves running a command like sudo apt-get update && sudo apt-get dist-upgrade on Ubuntu-like distros or yum update on RHEL-based distros.

Have proper iptable rules configured. See this link for a good baseline. Configure as necessary.

Configure ssh to use key-based authentication instead of passwords. This helps to increase the difficulty of bruteforce attacks against the ssh service. Disable root login using ssh.

The problem isn't that there are known security vulnerabilities.

The problem is that there is not really an effort to address less common but critical vulnerabilities.

For example, many web servers will display error messages. Until quite recently, Apache Httpd would include some of the request data in the error pages, which allowed cross-site scripting in default configurations of mod_proxy (CVE-2019-10092), with no way for the application developers to mitigate this threat against the site users.

The major web servers, such as Apache Httpd, Nginx, IIS, and Lighttpd each have hundreds of active contributors (or in IIS's case, a large corporate structure behind it), dozens of core developers who understand security best practices, and a team dedicated specifically to reviewing code for potential vulnerabilities. As you can tell by browsing the CVEs of any of those projects, there are still things that people catch after versions are released.

The developers who write HTTP servers for programming languages are small sub-projects, developing tools to support the main product: The language. There might be a dozen people who have contributed code to that tool, and one or two core developers on that project.

They do not have the resources available to search for vulnerabilities, so while there aren't any known vulnerabilities (or at the very least, it is very bad form here to point out known vulnerabilities that are likely to remain unaddressed), there are most certainly vulnerabilities in it, simply due to the complex nature of HTTP servers.

Some of these vulnerabilities might be extremely critical, such as allowing an attacker to have complete control over your server, including executing arbitrary code with a privileged account. Such a vulnerability might not exist, but without a thorough code review—and with the large, red-boxed warning at the top of Python's documentation page—it is plausible that such a vulnerability might exist.

In your specific case, the CIO signed off on it.

It is the CIO's responsibility to ensure that risk assessments are done. As the sysadmin, it's your job to execute the company's officers' instructions, and your responsibility to ensure that the officers have the information they need to be able to make informed decisions.

Because of the boundary in responsibilities, the pushback that I would do is ask to see the risk assessment. If the risk assessment doesn't include a very high probability (due to automated tools quickly finding the vulnerable server in hours) that the server gets infected with malware and used as a Command and Control repeater node for a bot farm, offer to help them make a realistic risk assessment.

Well, there is a system called virtualenv which allows you to run Python in a sort of safe environment, and configure/load/shutdown these environments on the fly. I don't know much about it, but you should take a serious look into it; here is the description from its web page (just Google it and you'll find it):

The basic problem being addressed is one of dependencies and versions, and indirectly permissions. Imagine you have an application that needs version 1 of LibFoo, but another application requires version 2. How can you use both these applications? If you install everything into /usr/lib/python2.4/site-packages (or whatever your platform's standard location is), it's easy to end up in a situation where you unintentionally upgrade an application that shouldn't be upgraded.

Or more generally, what if you want to install an application and leave it be? If an application works, any change in its libraries or the versions of those libraries can break the application.

Also, what if you can't install packages into the global site-packages directory? For instance, on a shared host.

In all these cases, virtualenv can help you. It creates an environment that has its own installation directories, that doesn't share libraries with other virtualenv environments (and optionally doesn't use the globally installed libraries either).

Ansible.

It looks like that script is trying to do configuration management. So why not use a configuration management tool to do so? (ansible, puppet, cfengine, etc.)

You should separate the "what configurations need to be made to secure/harden a system" and "what tool will I use to implement it".