I am using multiple workstation VMs with different Linux OSs. Is there a way from workstation side to make sure there will be no clearnet or VM1-VM2 leaks in case when gateway has been compromised or misconfigured ? If the traffic is not going through the tor network => drop the connection. Is whonix-firewall on workstation doing that thing ?
Whonix-Gateway forces all traffic through the Tor network or blocks it. Whonix-Workstation does not. Whonix-Workstation does not block clearnet leaks if Whonix-Gateway is compromised of misconfigured. Its important that you don’t change any settings in Whonix-Gateway unless you know what you are doing.
Keep in mind if Whonix-Gateway is compromised the Whonix security model is broken.
If this is a concern you could further compartmentalize by using Multiple Whonix-Gateways
Whonix is divided into two VMs: Whonix-Workstation for work activities and Whonix-Gateway to enforce all Internet traffic routing via the Tor network.  This security by isolation configuration averts many threats posed by malware, misbehaving applications, and user error.
Yes, compromised GW = game over. See also (if this is a realistic targeted threat, how boned your are)
I understand that, but I am curious if an extra layer foolproof protection to the custom workstation can be added since I cannot install whonix-check and whonix-firewall on it
No such thing as foolproof protection. If you are using a Debian/Linux Workstation most (all?) of the Security/hardening can be applied. You would have to do a little research. The Free Support Principle applies.