You can use SSH to access such a socket securely, leveraging the security options provided by SSH. You don't need socat at all, because SSH allows forwarding socket-to-socket or tcp-to-socket via -L option:
-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
E.g. if your qemu process runs with -monitor unix:/my_path/my_fifo,server,nowait option, use ssh virtualization-host -L /tmp/monitor:/my_path/my_fifo to connect, and then connect to local socket /tmp/monitor, or use ssh virtualization-host -L 12345:/my_path/my_fifo and telnet to localhost:12345 (SSH client will listen only on localhost in this case).
To achieve better security, use SSH keys to connect to monitors. On the remote virtualization host, create a user who'll have rw rights on the /my_path/my_fifo object. Create a key pair and put the public key into that user's ~/.ssh/authorized_keys file in a restricted way to only allow forwarding:
restrict,port-forwarding,command="/bin/false" ssh-... ..... (the public key string)
To connect, use a command which doesn't allocate a shell and doesn't run a command, useful just for forwards:
ssh monitoruser@virtualization-host -i mointor_private_key -L 12345:/my_path/my_fifo -N
and finally, use telnet localhost 12345 to access the monitor socket forwarded via SSH.
