I have tried putting the Elastic IP of NAT Gateway as a whitelisted IP
and it works. I want to understand why it is absolutely necessary to
put this IP in Security Group to access the internet-facing ALB from
the private subnet instance of the same VPC.
Because the instances in the private subnet look up the DNS of the public load balancer, resolve it to its public internet IP, and then attempt to connect to that IP, which gets routed through the NAT gateway.
As far as I know there is no way to have a public Elastic Load Balancer that can also be resolved to a private IP inside your VPC. So you will have to go through the NAT gateway to access the public load balancer from inside your private IP.
An alternative setup would be to create a third load balancer, that is private, that also points to the instances in Auto-Scale Group #1, and have your private subnet instances communicate with that load balancer.
If you go with the third load balancer approach, you would create a new target group, assign that group as to your existing auto-scaling group, and point the new load balancer to the new target group. The key point is that a target group can only be used by one Application Load Balancer, but instances can belong to multiple target groups and auto-scaling groups can have multiple target groups.
