We have a requirement of only allowing certain port range access 'back through' a firewall from B to A, when a connection already exists from A to B, so for example, A connects to B on port X, and when that connection is established, B can then connect to A from port Y01 to Y99. I have been looking at the established keyword, but cant seem to find any way of limiting that to a given IP or set of IPs - is this even possible?
Yes, established command is what you need. We use this command if inspection is not available for the particular flow.
Usually we use this for X-windows application.
Once a telent is established on tcp 23 then a range of ports 1024-65535 can be open in the other direction. The pdf that you enclosed has nice examples. Let me know if you have any further questions.
Once you have this command globally, you can restirct hosts using object groups on ACLs that you apply on the interfaces. There is no way to restrict that with this command.