Protect Raspberry Pi's physical sd card to be swapped

You must use Full Disk Encryption on the sdcard used to boot the Pi. Using it, if the attacker gets the sdcard away, it will not be able to read its contents. This will protect the 802.1x credentials stored in the card.

Second, use 802.1x authentication on the network. 802.1x requires login and password for the client to get an IP address. Without a valid login and password, the Pi will not be able to join the network even if the attacker plugs the network cable on it.

With this, you will have to connect a keyboard and monitor to the Pi, to enter the disk password and the 802.1x credentials. If this Pi is to run a secure environment, keep a know good disk image somewhere else and reflash the card every time the Pi is shut down. This will prevent the attacker from coming in, shutting down the Pi and backdooring the bootloader (the Evil Maid attack). This is required, unless you want the attacker to get the 802.1x credentials and full disk encryption key at the same time.

Bonus point: nobody without valid credentials will be able to get to an unsupervised room and plug in a laptop.

Forget MAC address authentication, it's trivial to change the MAC.