It appears that you have a multi-layered authorization model. Role-based authorization is determining what users can do. Then you have a set of shopIds that limits what data users can access or modify when using their authorized functionality. I do something similar to this.

I create custom Claims (that get queried once - when the user authenticates) that then become the limitations for restricting what data the user can access or modify.

User Claims can be used within your ServiceFilter without having to hit the database and therefore injecting it into that filter or having to pull a context instance from the ServiceProvider.

This methodology may require that you create a way to authorize all shopIds to admin-type users - if this is part of your access model. It IS part of mine!

Good luck!