The secret is the (slightly hidden) '...' menu in the 'Store' application. It's not physically hidden, but there's only the one item, 'Settings' on it, there's precious little in the dialog once you get there, and, in two years of Windows Phone use I've never had cause to open this up. Possibly the same goes for you too.
However, what is there is spot on for solving the problem above. Essentially you can set a PIN (yes, yes, one more code string to remember in your busy life but, hey, set it to your bank card PIN or similar, something you already know) and this will be called up whenever any attempt is made to buy anything on the phone through the Store account - whether that be music, apps or in-app content, as here.
Here's a walkthrough:
For further reading, see our original debate on the cons and pros of In-App-Purchases. It's fair to say that when writing the former, I wasn't allowing for the not-very-well-known PIN protection, detailed above - so if reading this article saves even one Windows Phone user from IAP bill shock then it has been worthwhile.
You can now hand your phone, with games installed, to a kid or teenager and rest confident that, however tough the going in the game, they won't be able to speed things up by raiding your account!
PS. As some have pointed out, there are other ways 'into' the Wallet set-up, not least via the generic Wallet 'wizard' in the main app list, where the PIN protection is on its Settings menu; or using Settings>Applications>Wallet. So there really is no excuse not to go find this option and enable it!
PPS. Even with PIN protection, I still believe that £50 and £99 IAPs are downright immoral and are clearly designed to prey on the gullible, mind you... Microsoft should enforce a £10/$10 limit on such transactions.