How can I force/restrict the Gradle dependency resolution to only use TLS 1.3+ for download?
…and also I’d like to disable specific weak ciphers, is that possible?
I don’t actually know how to do that, but I would assume Gradle just uses the default security provider in Java for creating HTTPS connections. So you should be able to both enforce TLS 1.3 and disable specific ciphers by tweaking the java.security file in the JDK you use. Alternatively, at least for enforcing the TLS version, you can probably also do it by setting the jdk.tls.client.protocols property in your Gradle options.
Maybe 
Note that there is nasty a bug in TLS 1.3 for older versions of Java 11 and Java 12, so be sure you are using a version that is relatively new (e.g. 11.0.5).