Routers are ill-fitted for this kind of access control. To sufficiently control users physically connecting to your network you need to control them directly on the port they connect to, which is usually a switch. 802.1x is specifically made for this purpose. Routers do not do 802.1x, switches do.
That said, you can
a) make static DHCP leases for all your valid clients
b) set the address pool on the DHCP server to 'none'
b) check "Add ARP for leases" on the DHCP server instance
c) change the ARP settings of the LAN interface to "reply only"
d) add static ARP entries for all statically IPd clients on the network
At that point the router will refuse to dynamically learn IP-MAC mappings via ARP. It will, however, respond to ARP requests from clients. Static ARP entries are used for static clients, and valid clients get their static DHCP lease, and are added to the ARP table by the DHCP server when the lease is handed out, and removed again when the lease expires. New clients do not receive a DHCP lease, aren't added to the ARP table, and can't get traffic back from the router.
Savvy clients can bypass that by sniffing a valid MAC/IP mapping and spoofing those addresses, at which point they can pass traffic through the router. You cannot work around that on the router, you'd need a switching platform with decent edge security features.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.