It seems there is no out of the box solution provided by Keycloak to prevent SSO users/ external IdP users from setting their password from reset password functionality.
You could write a small Javascript authenticator which runs in a post broker login flow. This authenticator sets a custom user attribute which marks the user as “is from external broker”. Then you modify the password ftl templates in the login theme in a way that they check if this flag is set in the user’s attributes. If the attribute is there, disable the change password submit button.
Any solution which relies on hiding form fields is an insecure patch. As fas as my research indicates, the best solution at this moment is to remove the manage-account role from users. Unfortunately this is overkill in most situation since it would be nice to allow users access to other “/account” screens and data.