Normally you don’t need the reflection API, a gRPC server could choose not to support it at all. It’s the grpc_cli making this request. If you write your own gRPC client, I think it won’t send the reflection request in the first place.
The “workaround” is actually for grpc_cli, as istio is doing exactly the job to reject requests without valid JWT token.