Force dial-only for tunnelers from the tunneler side

Is there any solution to this older GitHub issue yet?

In summary, is there a way to set a "dial only" setting on the tunneler side to ensure that an OpenZiti administrator cannot successfully use that identity as a bind target? This is a security issue from the perspective of someone joining a network where they may not fully trust the administrators, or even where the tunneler is on a secured machine that needs to reach out to things but should never have inbound access in any situation.