I'm not sure yet.
On one hand I could imagine an "exclusive" setting on IdentityProvider level which means that a user provided by this Identity Provider cannot add another linked Identity.
Problem is that this only works for users which come through this IdP. Users that are only registered in Keycloak directly currently cannot have such a setting since the current Keycloak IdP instance itself is not represented as an IdP...
I wonder whether it would make sense to add Keycloak as a "fixed" IdP to the IdP list in order to be able to adjust such things...
Cheers,
Thomas