Can I disable using URL parameters for key-auth?

Using keys in URL in parameters is not recommended as they can be written to logs, caches, history etc.:

https://www.owasp.org/index.php/Information_exposure_through_query_strings_in_url

This is something you would control from the client.
You can write a custom plugin or use serverless plugin to strip out the key from querystring (if present) while the request is proxied via Kong.

Yes, if I control the client then I can use headers rather than the query string.

If I don’t control the client then I would like to prevent the client from doing things that are not recommended from a security point of view.

Have you considered using the request-transformer plugin to remove the API key from the query string?