Hi @Rock , welcome to Microsoft Q&A forum and sorry for the delayed response.
From the details you provided it seems that you want to restrict users to just be able to query the data from Analytical Store in Azure Cosmos DB.
This can be achieved by controlling the network access separately for both the transactional and analytical stores independently. Network isolation is done using separate managed private endpoints for each store, within managed virtual networks in Azure Synapse workspaces.
Please refer to below article that talks about creating private link in details:
Configure Azure Private Link for Azure Cosmos DB analytical store
I would also suggest you to once go through below link that talks about security features on analytical store:
If we use read-only keys with creating private link, users will be able to access the transaction store although they would not be able to write anything.
Please let us know if this helps or else we can discuss further on the same.