The OP's connections use something else instead of (or along with) password and/or public key, so the OP shall disable that, whatever it is (probably keyboard-interactive); but your general idea seems good. To cover all cases, one can disable each and every authentication method. I believe currently the following will do:
-o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o HostbasedAuthentication=no -o PubkeyAuthentication=no. Then, if authentication is required, the client will have absolutely no way to authenticate.