If you have control over the device that transmits the signal, you could try sending an additional validation sequence. This sequence can tell the software that receives the data what rules it should use in decrypting the signal. So, the actual data (on/off) could be dynamically encrypted, while the validation can be decrypted using a special key that only the hardware and software know.
This is similar to hash-based authorization.
However, I think it's important to look realistically at IoT devices.
Personally, if someone is going through the trouble of monitoring/filtering the frequency of my light switch, I'd let them have at it.
We encounter breaches like this everywhere we go this day in age. The real question always deals with "How much am I willing to pay for this?". When you accept cookies to a website so you don't have to sign-in anymore, you're accepting the risk of a security breach because you feel you get more out of the risk than you would endure in consequences.