How to prevent or forbid any CLI changes on Fortigate once it is integrate to FortiManager

You can set up a custom Access Profile for such admins in which you disable everything-CLI. 

See example of how to enable CLI commands - just do the reverse, unselect CLi commands.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-config-options-in-custom-admin-access/ta-p/314351

If you want to force people to do changes only via FMG, just assign all admins on Fortigates read-only profile, and leave just one super_admin user (for emergency access) password of which is kept safe away from regular admins.