Hi,
You can do this by altering the xtk:workflow form.
For containers or fields you want read only, add attribute readOnlyIf="HasNamedRight('webAppWorkflowReadOnly')", where webAppWorkflowReadOnly is the right you added to the users' operator group.
Thanks,
-Jon