The trick is to split the input protection into two halves. One half (or a bit more than half depending on your max possible input votlage) immediately after the input pin, followed by your diode protection bridge to gnd and vcc, and then the other half before the microcontroller input. The first half protects the protection diodes, the second half protects the diodes in the micro. Size them inteligently, and you can ensure that the external diodes clamp before the internal ones, so the external diodes actually protect the micro.
Regarding leakage, if the input is a high impedance, then yes, the diode leakage matters, because the leakage current has nowhere to go to, but when, in your case, the digipot is connected, it's output impedance is easily low enough to swallow that leakage current. It's also good practice to ensure any inputs to your micro have a known failure state, ie a pull up or pull down resistor, so that should the device connected fail (or be disconnected) the input goes to some known state, meaning your logic can reckoning that state, rather than respond to an erroneous input thinking it's the real input!
Often, any input that can cause a system malfunction is set up so that it falls into three known voltage levels:
1) Off Scale Low - a low voltage, that the normal device on the input can never get down too.
2) Off Scale High - a high voltage, that the normal device on the input can never get up too.
3) Normal - a voltage between OSL and OSH, which the device on the input outputs when operating normally
typically, for a 5v input, you'd choose
OSL = <0.5V
OSH = > 4.5V
giving your device a 4v operating span.
These voltages are usually furnished by careful choice of pull up, pull down resistors on the input