this is the expected behavior: a user should not be able to edit a resource (the xls) if he/she does not have permission to edit it. :)

The problem is, that the canvas app runs as the logged in user. I would use a technical Sharepoint list as a workaround. You have mentioned that you use Sharepoint here as well, so an additional tech list should not be a problem. Steps in high level:

1. the app is not editing the final xls, but add rows to the technical SPO list (lets name it 'TaskQueue').
2. The app does not run the flow directly.
3. The flow's trigger should be creating a new item in this TaskQueue list.
4. This TaskQueue list should have all the parameters, to execute the flow (or need a key to the original list, or you can put everything into a single JSON code)

With this approach, the flow's owner need to have edit permission to the final xls.