I don't think this is doable using Gerrit's ACLs since the ACLs doesn't differentiate between different kind of reads.
Ref access:
Create - git push, REST PUT/POST
Read - git fetch/git clone, REST GET
Update - git push, REST PUT/POST
Delete - git push --force, REST PUT/DELETE
AFAIK there's no out-of-the-box functionality to limit who can issue a git fetch/git clone.
Possibly you can accomplish this with a plugin and/or configuration of proxy servers.
But I don't see how you would gain anything by limiting who can fetch/clone from a access perspective, looking at the code in Gitiles has the same implications as git fetch:ing the code to a local machine, both are non-destructive reads and does not implicitly give the user Update or Delete.
/Sven