According to docs, one can set locking range to ro (see setLockingRange <0-15> <ro|rw|lk> <password> <device>).
That said, not sure what setLockingRange actually does and wasn’t able to find good documentation.
$ sedutil-cli --setLockingRange 0 RO passw0rd /dev/nvme0
Sure, why not? If you want to lock the entire drive, enable the global locking range and make it read-only:
sedutil-cli --enableLockingRange 0 passw0rd /dev/nvme0
sedutil-cli --setLockingRange 0 RO passw0rd /dev/nvme0
In case the drive is in initial state (brand new or reset), you will need to initialize SED features: set Admin1/SID passwords and activate Admin and Locking SP's. With sedutil there is a convenience shortcut for these steps:
sedutil-cli --initialSetup passw0rd /dev/nvme0
Arch Linux wiki might give you more insight on SEDs in general.
You can also lock the boot partition only. You will need to set up a separate locking range and put the partition on it.