OpenSSH: Prevent globbing on SSH_ORIGINAL_COMMAND

Use quotes:

cat bin/script.sh
#!/bin/sh
printf '<%s>\n' "$@"

command="/home/user/bin/script.sh \"${SSH_ORIGINAL_COMMAND}\"" ssh-rsa AA...

ssh -i .ssh/id_rsa.special hamilton '*'
<*>
ssh -i .ssh/id_rsa.special hamilton 'foo bar'
<foo bar>

But also you will get:

ssh -i .ssh/id_rsa.special hamilton '*' 'foo bar'
<* foo bar>

Not sure is it a problem for you or not.

And I was confused about:

And apparently I can't use " inside the command="…"

I thought it's kind of limitation in your task so deleted my answer.
I'm glad my answer helped you with your task!

There should be no need to put $SSH_ORIGINAL_COMMAND on the command line at all. It's available as an environment variable to /path/to/script.sh. That would automatically remove one level of shell-evaluation.

Also, if you don't want your shell to expand any glob characters, consider writing script.sh in some language that isn't a shell such as perl/python/ruby/etc. Non-shell languages will only perform glob/file expansion when explicitly instructed to. But that might not be necessary if it obtains the value of $SSH_ORIGINAL_COMMAND directly from the environment rather than having it passed to it via the command line.