it is not entirely clear from your words what exactly is the mac-address on the port of the router towards the switch. if other than the client's, the switch will trigger port security for the port, if available and enabled. if mac is the same as that of the client, then the switch will not notice any substitution, since there are no other criteria for determining substitution according to the conditions of your task.
I don't know anything about the existence of the "truth byte".

Forget about the bits in the poppy address, the only thing that should not be there is the least significant bit of the most significant bit (a sign of multicast). Everything else changes at the request of the left heel.
Almost all managed switches have some analogue to the Port Security functionality - a mac address is statically bound to the port, and frames with other mac addresses are discarded (or even the port is extinguished administratively). MAC-IP pairs can also be configured on more advanced ones.
Even the cheapest controllers like D-Link DES-12** can do something similar in one form or another. To change the allowed poppy on the port, in this case, you need to go to the switch control panel, with a password.
More serious protection is 802.1x. But it is not always supported by hardware and software. Yes, and admins too.

A cheap budget switch generally gives a damn about what they stick into it.
More solid ones, like CISCO, will gladly obscure any attempt to put an unfamiliar mac into them in syslog, and the port will be turned off.
But nothing will save you from replacing a cunning poppy user, for any money.