Showing the "Authentication Required" root prompt not immediately after
clicking "Install" or "Update" in GNOME software seems to me like it is
fundamentally insecure, and I would argue it destroys all security benefits
this prompt might possibly bring.

The problem is that you're essentially training the user to just consent to
this prompt no matter what horrible malicious actor might be showing it, since
it contains zero information allowing the user to verify it was triggered by a
legitimate source. I also can't think of any way you could possibly provide
that information, since even if you showed the process id and name, another
process could just name itself "gnome-software" and the user isn't going to
remember the process id.

As a consequence, the only somewhat reliable mechanism the user has for
verifying that this prompt is legitimate and not a bad actor is that the prompt
showed right after they triggered an action that is actually intended. This
however appears to be destroyed by delaying this prompt until the download or
whatever preparation steps are complete, rather than as instant as possible
after clicking the "Install" or "Update" button in GNOME software. (Because I
assume nobody will be just keeping the GNOME software window and stare at it to
check that the prompt happened right after some progress bar reached 100%, at
least I certainly don't.)