If your goal is to prevent read-only connections from successfully connecting to a secondary replica in an Always On Availability Group, that is a simple configuration:
https://learn.microsoft.com/en-us/sql/database-engine/availability-groups/windows/configure-read-only-access-on-an-availability-replica-sql-server?view=sql-server-ver15
This will allow or deny incoming connections which are read-only when the replica is in secondary mode. If the replica is in Primary role, all connections are allowed.
If you have a need to keep the replica in a specific "Recovery" state, you do not have that level of control. An Availability Group Secondary is in a state of continual recovery, constantly applying update log records received from the Primary.