There's two ways I do this:

• I add a boolean attribute on an entity HasBeenValidated, an no role has write rights on it. Then, after succesful validation, I set it to true. In a before commit handler, I check if HasBeenValidated is true. If it is, I set it to false and return true, otherwise I return false.
• I use a before commit event handler which always returns false, and in my app I always commit without events.

I dislike extensive event handlers, as that makes the application less maintainable, so I prefer not to add validations to event handlers themselves.

Finally, I only use the above methods if data integrity is very important, or if an application has a huge audience. For typical business applications, we assume our users neither have the skills nor the inclination to abuse the system in this way.

The best way would be to either add security on a database level (in your domain model, both entity access and BCo) where possible, or when that's not possible, duplicate the validation that's on the button in the microflow itself. That way, even if someone calls the microflow while circumventing the button, they will still be caught by validation.