Is it possible to lockdown DNS calls to only those addresses outside one's organization (i.e. forwarders) one configures on the firewall?
You can make firewall rules that block outgoing DNS requests to any servers except the ones you want, yes. It works just like firewalling any other service.
Additionally, if you really wanted to, you could create NAT rules such that all requests from the LAN to the DNS port (53) would be redirected to the DNS server of your choice (just one though), regardless of what server the client was trying to use. This would allow invalid configs to work but still only go to the allowed server. A similar setup (not specific to DNS but should work) is described in the pfSense book when discussing NAT.