I have disabled it in the past within /var/www/nextcloud/apps/dav/lib/Connector/Sabre/Auth.php.
We don’t want users accessing their files anywhere but from within the web interface so I just added return false; within the validateUser function. The fix for NC 12 is here: https://pastebin.com/7NL383b1 (ignore the comment about the cron job. it is for my use only). Have not tested with NC 14 yet but will be. I thought I’d look to see if there have been any new ways to disable it before resorting to hacking up core.
the desktop client tries to get authorization via /index.php/login/v2/grant
you can put this inside your Apache-vhost-config (.htaccess would work too)
RewriteCond %{REQUEST_URI} ^/index.php/login/v2/grant
RewriteRule ^(.*)$ https://example.com/index.php/login [L,R=301]
and some more conditions for the Android client
RewriteCond %{REQUEST_URI} ^/index.php/login/flow/grant(.)$ [OR]
RewriteCond %{REQUEST_URI} ^/core/js/login/grant(.)$ [OR]
RewriteCond %{REQUEST_URI} ^/index.php/login/flow/grant(.)$
RewriteRule ^(.)$ https://example.com/index.php/login [L,R=403]
this only prohibits the android client to authenticate at first login! If the client was already registered, it won’t stop that connection.