How can I block requests with the wrong Host header set?

Define a default server

if you don't explicitly define a default server, nginx will implicitly use the first-found server. so, just create a server block to block unknown hosts:

server {
  listen 80 default_server;
  return 444;
}

(no it's not necessary to add a server_name - since it will never be a match).