Restrict using Azure Service Principal by Humans

If a user get's hold of the credentials for a service principal then they will be able to login with it, there's no way to stop that. The solution to your problem is to make it difficult for users to get the credentials.

One way to do this is to use certificates to login as a SP, rather than a password. If you create the SP and only assign a certificate to it, then the user will need the private key to be able to login. If you then make sure that this private key is only installed on your automation servers, and the users have no access to this then they will have difficulty using this.

Alternatively, you can use managed identity rather than service principals. Assign the MI to your automation machines, ensure they users don't have access to this.