How to protect bootloader code against overwriting? (STM32F4)

The STM32 reference manual RM0090 describes in chapter 3.8. the One-time programmable bytes (512). This is great to store, say, a public key.

The Annotiation Notes document AN5156 describes - for all processors of the family - among others the feature "Execute-only firmware (PCROP)".

Is this suitable to protect a certain memory area such as the bootloader area against overwriting?

If yes, are there guidelines around (or example code) on how this should be done?

Second: how can - during production - the debug interface be locked against access (security measure)?