There's two ways I do this:
I dislike extensive event handlers, as that makes the application less maintainable, so I prefer not to add validations to event handlers themselves.
Finally, I only use the above methods if data integrity is very important, or if an application has a huge audience. For typical business applications, we assume our users neither have the skills nor the inclination to abuse the system in this way.
The best way would be to either add security on a database level (in your domain model, both entity access and BCo) where possible, or when that's not possible, duplicate the validation that's on the button in the microflow itself. That way, even if someone calls the microflow while circumventing the button, they will still be caught by validation.