On this network, I don't use Mikrotik router, but I know that solution. It prevents only the gateway to talk with unidentified clients and they can't talk thru the gateway, but still not prevents spoofing clients to get and answer the ARP broadcast on the WiFi network :/
cnPilot does not have the option to prevent clients with static ip address in accessing the network. looks like you want to prevent any clients with static ip address in your deployment. do you see any kind of attack is happening in the network