Are CPU microcode updates always ignored by Hypervisors?
Yes, hypervisors (the ones which aren't unusually broken, at least) will always refuse microcode update access from guests (VMs). Any microcode updates must be delivered either by the hypervisor itself, or by system firmware/boot-loader.
The reason for this is the most obvious: security. A microcode update can change visible details of the ISA (instruction set architecture), and disturb the whole system, up to and including crashing other VMs that were not prepared for the ISA changes, etc (refer to the Intel TSX microcode fix that removed the Intel TSX-NI instructions for an example).
Also, there are microcode-update-level attacks, and those, when successful, will bring down the entire system. Thus, one VM could crash the hypervisor and all other VMs. Refer to the Inertiawar paper on Intel microcode updates for an example.
Also, an hypervisor might expose to the guest a different, sometimes synthesized CPU model, than the one it is really running at. The guest has no business trying to update the microcode of such a CPU.
Microcode updates are, therefore, an attack surface all hypervisors worth something will close down.