You could achieve it on the CER/CEA level. I would say If the receiver of the CER is unable to comply with what is in the request (different capabilities), it should send a CEA with the Result-Code AVP set to DIAMETER_UNABLE_TO_COMPLY.
From the RFC 6733, maybe you could block session removal which should lead to sending the ASA with cause code you look for.
8.5.2. Abort-Session-Answer (ASA)
[...]
If the session identified by Session-Id in the ASR was successfully terminated, the Result-Code is set to DIAMETER_SUCCESS. If the session is not currently active, the Result-Code is set to DIAMETER_UNKNOWN_SESSION_ID
. If the access device does not stop the session for any other reason, the Result-Code is set to DIAMETER_UNABLE_TO_COMPLY
.