Well the easiest method is to not permit any Mesh Gateways on your local network (San Diego County has adopted this as standard, along with no tunnels permitted either)
By being a mesh gateway one has generally stated "I am wide open for providing full access to the internet" this mean you can't prevent access and be a mesh gateway. One in theory could do some network controls to limit the bandwidth and not violate the specifications around being a mesh gateway, but that would be dependent upon your existing firewall solutions.
Beyond that monitoring the actual traffic transitioning a mesh gateway node to see if its being used for purposes beyond what its intended.
To add... A simple SOCKS based proxy server could provide internet to users that you wanted to have access. This would simply require install the proxy on a Pi (for example) and attaching it to the LAN port of a node that does have internet access. (Mesh Gateway would still be disabled). If you wanted a user to have internet access, they would configure their browser to point to the proxy server (and possibly authenticate), and voila! (everyone else on the mesh would not even know about it).
By being a mesh gateway one has generally stated "I am wide open for providing full access to the internet" this mean you can't prevent access and be a mesh gateway. One in theory could do some network controls to limit the bandwidth and not violate the specifications around being a mesh gateway, but that would be dependent upon your existing firewall solutions.
Beyond that monitoring the actual traffic transitioning a mesh gateway node to see if its being used for purposes beyond what its intended.