Good to know that workaround helps your use case. But I am curious to know why you want to use Alter Subscription .. Refresh via function? The same restriction holds for Create/Drop Subscription as well but you don't seem to be using those via function.
Yes, the workaround really helps to continue the operations as it was.
let me explain.
In a typical operations case, owner / someone with superuser privilege sets up everything as part of the deployment and then hands over the day-to-day operations of different teams who do 24x7 coverage.
Those teams in regular operations support won't be given superuser privilege or owner account because of obvious reasons.
A function with "SECURITY DEFINER" is generally used as a method to hand over only the required privilege just to refresh the subscription.