What @cdiedrich has proposed can be described more in detail, maybe you have missed it?
- set add-arp=yes on all dhcp servers
- make all the current dhcp leases which you recognize (most important, the PC from which you configure the machine) static
- make the address-range of all ip pool items used by dhcp servers incompatible with the subnets attached to the interfaces on which the dhcp servers are listening
- set arp=reply-only on all LAN interfaces to which IP configuration is attached
With this setup,
- when a known device connects, it will get a dhcp lease with a fixed IP address from the correct subnet, and the mapping between its IP address and its MAC address will get stored in the arp table, so it will be able to communicate bidirectionally
- when an unknown device connects and asks for an address using DHCP, it will get one but not from any of the subnets so it won't get any response packets. But this allows you to add new devices to the whitelist by making these leases static and changing the IP address in them
- when an unknown device connects and manually sets up an address from the proper subnet, it won't get any response packets because its MAC address won't be stored in the arp table and Mikrotik won't use ARP to determine it.
However, all the above can be outsmarted by changing the MAC address of the "alien" device to one of those for which a static lease exists, same like any other access control method which is based on use of an authentication factor which can be intercepted and spoofed because it traverses the network in plaintext (i.e. not encrypted).
802.1X requires that the client knows a secret which is not sent in plaintext, so it cannot be found by just connecting to your switch and sniffing the broadcast traffic for a while - which is how the attacker can easily identify whitelisted MAC addresses. And the secret is individual per client so by sharing it with friends, the client risks that he'll be unable to connect himself.
So 802.1X is the way to go, but Mikrotik has only got halfway so far (yet thanks for at least that after all those years!) - it can talk to the connected devices and control the ports using 802.1X, but its embedded RADIUS server (the User Manager) doesn't support EAP yet, so you need an external one at the moment.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.