Hi @brad.younge,
Welcome to the Auth0 Community and thank you for your post.
Firstly, you are correct about creating new users when using this type of connection, since it is also mentioned in our Passwordless documentation that you can:
Create them directly from the Management API if signup is disabled
I am sorry for the inconvenience that you are encountering, but this behavior is actually the expected one, so when users try to login for the first time they will get a code and will be able to authenticate themselves into the application, as mentioned in this community post as well.
You can also check out this Knowledge Article if you are interested in a workaround that restricts only certain email domains for signing up.
However I believe this could be a great proposal for a Product Feedback since it might get multiple votes and our engineering will take this into consideration for a future implementation.
Thanks,
Remus