Ah ok! Thanks for the update. 
It is an issue because if you use ACL you cannot use any of the graphql or dql functions which get submitted to your custom resolver and thus you need to implement a custom wrapper for fetch. Furthermore, you have to request another login token (X-Dgraph-AccessToken) inside every custom resolver which is a bit weird considering that you have sent that token with the original request already.
Additionally, if you want to preserve user information regarding ACL rules, you would have to submit username and password (or even worse via a field in the GraphQL request) via the X-Auth-Token since that is the only header which is available.
The only other option is to have a lambda user which is allowed to do everything and to implement custom auth checks inside the resolver.
Would be great if @Raphael can comment this.