Forced tunneling enables all traffic with an unknown route (i.e. Internet bound) to be sent to the ExpressRoute connection instead of direct to the Internet. This enables the Internet traffic to then be inspected by on-premises appliances/services. This is done via the advertisement of a 0.0.0.0/0 route. If ExpressRoute is down then the traffic would be sent to the Internet. If you need to stop this happening then you should use a Network Security Group and two rules would be required:
Priority Name Source Destination Service Action 100 AllowLocal Any VirtualNetwork Custom (Any/Any) Allow 110 DenyInternet Any Internet Custom (Any/Any) Deny
This works because with forced tunneling configured (0/0) then that route is considered part of the VirtualNetwork and therefore allowed. If ExpressRoute goes down then BGP will stop advertising 0/0 which means its no longer part of VirtualNetwork and instead becomes part of Internet and will be blocked.