Limiting in-band OS access to Supermicro BMC (AST2500) possible?

Short answer: I am not aware of a BMC setting telling it "disable all in-band access", but I really doubt it exists or it can be useful at all

Long answer: While your question is interesting, please note that if someone gained root privileges your server is irrecoverably compromised, so you can not trust it anymore. After all, root is able to not only reset the BMC password, but to also reflash it, rewrite the mainboard BIOS/UEFI and updating the firmware of other add-on cards (ie: RAID controllers).

All of that can be accomplished by standard low-level interfaces (I2C, DMI, IPMI, etc.) which the linux kernel natively supports. Removing the corresponding modules/code will not work, as a bad actor having root privileges can install and reboot a patched kernel.