MAC filtering, but if the MAC address is visible from the outside AP it’s pretty much useless. Radius would help.

https://en.m.wikipedia.org/wiki/IEEE_802.1X

The standard directly addresses an attack technique called Hardware Addition where an attacker posing as a guest, customer or staff smuggles a hacking device into the building that they then plug into the network giving them full access.

You could probably do an automation with home assistant to disable the report if the device gets unplugged, notify you about it, then require to you approve / re-enable the port.

This of course would require the service to be running, but combined with MAC filtering and placing it on an untrusted VLAN that’s probably the best you could do.

A padlock.

There are ways to try to identify the device connecting to the network. But that doesn’t prevent a third party from spoofing an appropriately authenticated device and monitoring and collecting traffic as well as injecting traffic. It just raises the difficulty

Over networks, or access points, that are intrinsically unsafe, the current gold standard is to require clients transiting those networks to then use a VPN. So internal Wi-Fi, with access only to a wire guard server, and your wireless clients connect to the wire guard server.

Even if a malicious actor takes over the access point, or compromises the ethernet cable itself, the traffic will be encrypted, and only authenticated clients will be able to actually access your infrastructure.

So you would enforce a VLAN onto the port that the access point has access to, and then that VLAN can only access the UDM wireguard server.