Does a SQL CLR stored procedure prevent injection?

Question 1

CLR Stored procedure doesn’t prevent this by default. You need to do this yourself since CLR doesn’t do this automatically (I guess this was the actual questions you wanted to know)

Just update your code like this and you should be all good.

 [Microsoft.SqlServer.Server.SqlProcedure]
    public static void IsUserNameExists(string strUserName, out SqlBoolean returnValue)
    {
        using (SqlConnection connection = new SqlConnection("context connection=true"))
        {
            connection.Open();
            SqlCommand command = new SqlCommand("Select count(UserName) from [User] where UserName=@UserName", connection);
            command.Parameters.Add(new SqlParameter("@UserName", strUserName));

            int nHowMany = int.Parse(command.ExecuteScalar().ToString());

            if (nHowMany > 0)
                returnValue = true;
            else
                returnValue = false;
        }
    }

Question 2

The only correct way to prevent sql injection should be using parameterized queries. What you are doing is not safe, since you are concatenating strings.

Look into this here for reference How do parameterized queries help against SQL injection?

For clearification, why your code is vulnerable:
In terms of SQLParameter even something like '); DROP TABLE YourTable;-- will be a valid input (since it is a string). This will then be used by you to create the inner query and there's your SQL-Injection.

Question 3

Is it vulnerable to SQL injection?

It is:

SomeType.IsUserNameExists("'; insert into [User](UserName) values ('Malefactor_Username'); select '1", out returnValue);

Any best practises?

Always use parametrized queries.