I am looking to find a way to use public key options, or any other method, to forceably limit ports on both ends of a reverse tunnel over SSH.

If I set up a reverse tunnel initiated from system A to system B, where port 4406 on B is connected to port 3306 on A:

I can then limit the choice of port available on B by using the PermitListen option within the public key as recorded in system B's account's authorized_keys file.

How do I then also limit the choice of ports on the other end of the connection? That is to say, limit which port the key can use on the originating system. I've experimented with the PermitOpen option but it is not relevant here because it affects only -L regular forwarding, not reverse forwarding. I expect I have missed something fairly obvious?

I am not sure of the use case here. Are you saying that you wish to demonstrate that a user that is trusted with a key and has accessed system A should not be allowed to do something like set up a cron job to setup a tunnel with 'ssh -R 4406:localhost:5506 serverB.example.com'.

Perhaps firewall restrictions on outgoing connections on serverA?

The use-case would be for an automated script using a key without a passphrase. There, I figure the more locked down the better as a reminder that the key is single-purpose. But, yes, there is trust involved either way.

The absence of a passphrase would be in contrast to setting up a one-off SSH agent just for that script and manually loading the key into the agent as needed.

Maybe rejecting all outbound ports on serverA, with a small subset allowed, would be one way, but seems fiddly on a system still a while away from transitioning from development to production.