There are weaknesses to your proposed solution that many network administrators would be able to subvert.
The obvious weaknesses are that MAC addresses can be cloned and the switch would be none the wiser. In fact, I could probably build a cheap device to clone the MAC address, allow the phone to continue to work AND allow me to plug in other devices.
If I were trying to do this I would set up a separate VLAN and put this phone on that VLAN - giving it access to only talk to the devices it needs to talk to. (It is theoretically possible to break VLAN security, but its a whole different ballgame hard - probably out of reach of the vast majority of adversaries). Setting it up so it requires a VPN access is probably overkill, but theoretically more secure.
You might also want to bandwidth limit the speed of the connection if you are extremely paranoid - which would mean that even if the network is breached the speed at which data can be exfiltrated could be slow - ie you could limit it to UDP only and 100kbit per second or so. (Probably not worth the effort IMHO)
Rather then disabling the phones screen, why not get a phone without a screen so it can't be enabled. (If you are concerned about technically skilled adversary, the $100 or so it would cost would not be an issue). An even more secure alternative would be to ditch VOIP for the phone altogether and connect a regular phone to an ATA across the existing wiring. This would pretty much limit the port to supporting a phone - although voice quality and functionality might be affected.
