How to stop HTTPS requests for non-ssl-enabled virtual hosts from going to the first ssl-enabled virtualhost (Apache-SNI)

As the Apache docs say, when no ServerName matches the hostname give in the web request, the first VirtualHost matching the given IP/port combination will be used.

Thus, you merely need to give a default virtual host that serves no content, or content of your choosing, and it must be the first one parsed by Apache when it loads its configuration.

If you don't want specific hosts to be accessible via https at all, place them on a separate IP address, on which you have configured Apache not to Listen on port 443.