My thought was that we have two mechanisms in place for the command line UI: the user can use
sudo snap install as the simple low barrier to entry method of installing snaps, or they can provide a bit more information (store login credentials) to access paid snaps and remove the need to use sudo.
Adding polkit auth would allow the same graduated access on the graphical side. If gnome-software doesn’t currently have a macaroon access token, it could ask for polkit authorisation and trigger the same auth dialog they see for all other sysadmin tasks on their machine. We could then delay asking for user to create store credentials up to the point where they try to install a paid snap.