Allow TSIG-signed non axfr/update queries

I have two zones with different ACLs for restricting zone transfer, e.g.:

zone:
  - domain: zone1.example.com
    acl: [acl1]
  - domain: zone2.example.com
    acl: [acl2]

If a remote name server (allow by acl2) uses its TSIG key to sign queries for a zone1.example.com above, the query is denied (even if the query is a non-transfer/update query); ACL, denied, action query. How would one allow queries, but not transfer/update, with TSIG-signed requests?

Admin message

Admin message

Allow TSIG-signed non axfr/update queries