How can I limit ssh *remote* port forwarding?

There's an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen.

This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:

add a PermitListen directive to sshd_config(5) and a corresponding permitlisten= authorized_keys option that control which listen addresses and port numbers may be used by remote forwarding (ssh -R ...).