Backend State File

Is there a way to lock down the backend state file so the state file can only be called from say a build and deployment system and not from anywhere else?

That very much depends on what you are using for your state storage. For example if you are using S3 you could ensure only the IAM user/role that your build system uses has access, or similar with database credentials if that is what you are using.