By default, pfSense routes traffic between WAN, LAN, OPT1, OPT2, ...
Currently I am explicitly blocking certain combinations via firewall rules.
How can I configure pfSense to use a whitelisting approach instead (only allowing necessary combinations)?
Everything is a default deny. Nothing is allowed that you aren't passing via your configured rules.
The way to disable routing is to block the traffic you don't want routed. An alias containing RFC1918 is helpful to block traffic to non-Internet destinations. It's also possible to use the alias in your pass rules as a "not" destination, but it's usually more logically clear to people if you just put in a single block and allow destination "any" for the Internet.
If you copied the default rules from LAN to OPT1 and OPT2 you can do the following to block traffic between network interfaces:
Example that prevents traffic originating in OPT1 from reaching LAN traffic
Create a rule under OPT1 to "block", protocol "any" source "OPT1 net" destination "LAN net".
Follow the same pattern for the other interfaces.