sshd providing only public host certificates

[Leroy Tennison]

Based on man sshd_config for 9.6p1 this appears to be impossible.  The reason I'm asking is that I would like to switch to only certificate authentication for hosts and control it from the server side.  I realize I can't necessarily control client side mis-configuration (or potential MITMs) but I would like to be able to "encourage" all clients to convert to exclusively signature-based host authentication by not allowing connection unless they were configured to use the @cert-authority marker.  A goal is to be able to say "If you're prompted to accept a host key the answer is no". If this isn't possible please consider it an enhancement request.  If it is please tell me how, I'm not understanding how based on reading the man pages and, although web searches explain how to set this up, I didn't find anything about enforcing it.  Thanks.