I think your understand is better than mine...
Haven't used Rails but I think it's if the accesskey in the controller can be seen by an end-user they then can access the workspace.
That was form: https://azure.microsoft.com/en-us/documentation/articles/power-bi-embedded-iframe/
"But, when we embed the report in our web page, this kind of security information would be handled using JavaScript (frontend). Then the authorization header value must be secured. If our access key is discovered by a malicious user or malicious code, they can call any operations using this key."
So I've gone some complicated path of having a used call an "api" that uses the accesskey to return the shorter term token - same as what your controller does I think.