The secret is the (slightly hidden) '...' menu in the 'Store' application. It's not physically hidden, but there's only the one item, 'Settings' on it, there's precious little in the dialog once you get there, and, in two years of Windows Phone use I've never had cause to open this up. Possibly the same goes for you too.
However, what is there is spot on for solving the problem above. Essentially you can set a PIN (yes, yes, one more code string to remember in your busy life but, hey, set it to your bank card PIN or similar, something you already know) and this will be called up whenever any attempt is made to buy anything on the phone through the Store account - whether that be music, apps or in-app content, as here.
Here's a walkthrough:
The problem. In App Purchases (IAPs) - often as much as £50, to catch the unwary (or too innocent)...
The solution: head into the Store client and tap on the '...' menu, bringing up the sole menu option: 'settings'; (right) there's really not much here, except 'PIN', but that's all we need right now....
By default, 'Wallet PIN' is turned off, which is why most of us have never even seen this feature. Tap on the toggle and you'll be prompted (right) for a PIN of your choice (I used my bank PIN, burned into my brain!). Finally, tap on 'Done'...
'Wallet PIN' is then 'On', but this isn't the protection itself, for that you also need to check the box underneath, confirming that you want to use this to protect purchases. This 'double' activation seems a little over the top in terms of UI, but hey, it's a 'set it and forget it' thing, so....
Trying it out, let's tap on an IAP in the rightly maligned Nemo's Reef; (right) the Wallet PIN confirmation pops up immediately, protecting your bank balance. Job done!
For further reading, see our original debate on the cons and pros of In-App-Purchases. It's fair to say that when writing the former, I wasn't allowing for the not-very-well-known PIN protection, detailed above - so if reading this article saves even one Windows Phone user from IAP bill shock then it has been worthwhile.
You can now hand your phone, with games installed, to a kid or teenager and rest confident that, however tough the going in the game, they won't be able to speed things up by raiding your account!
PS. As some have pointed out, there are other ways 'into' the Wallet set-up, not least via the generic Wallet 'wizard' in the main app list, where the PIN protection is on its Settings menu; or using Settings>Applications>Wallet. So there really is no excuse not to go find this option and enable it!
PPS. Even with PIN protection, I still believe that £50 and £99 IAPs are downright immoral and are clearly designed to prey on the gullible, mind you... Microsoft should enforce a £10/$10 limit on such transactions.