Chan_PJSIP doesn’t allow anonymous users to auth unless they either are match by an IP or there is an anonymous endpoint that has been created. Chan_PJSIP doesn’t have the concept of “allow guests” which means it won’t just default to a peer if nothing else matches. So you don’t want anonymous users trying to auth to make calls, no problem. You don’t create an anonymous endpoint and you remove/don’t allow the anonymous identifier to be used.
As for using domains, Chan_PJSIP’s username identifier will check for user@domain then user for endpoints to match. So if you want to fully auth with user@domain you need endpoints to match that. Which means the following will work:
; Matches on user 100@domain1 in the From user field
[100@domain1]
type=endpoint
;matches on user 100@domain2 in the From user field
[100@domain2]
type=endpoint
;matches on any 100 user that does not have domain1 or domain2 in the From user field.
[100]
type=endpoint