I don't think there's a way to be compliant with Bluetooth Low Energy and prevent devices from doing an initial connection (i.e. before any bonding/etc.). Part of the point of BLE is to have a uniform device discovery mechanism.
You could try to limit interactions to devices that are running an approved app by using a timer and a service for a challenge/response system. When a central (app) connects, the device could start the timer. If the central (app) hasn't completed the challenge/response in a reasonable time the device could disconnect. You could also disable all other functionality until the challenge/response is completed.
This isn't perfect though. On iOS any apps can access a connected peripheral. So if YOUR App is authenticated using this scheme and connected, someone could then launch another app, like LightBlue, and interact with the device. There would be ways to limit this to some degree if your app is only used in the foreground. It could un-authenticate before going into the background, which would make browsing with LightBlue/etc. difficult.
There are several possible variations on this scheme that could make it difficult for someone to accidentally interact with the device (encryption/rolling keys/etc.).
