Making it non-requestable should work
Another approach is write a advanced SOD policy and within the policy rule check for users existing entitlements and future access, if you see this entitlement in the difference throw an SOD exception, this way you can stop any membership change on this entitlement
Take a look at below link for example rule