Yep, the definition of a BAPI is that it must functionally perform the same processing as dialog functions and must be remote enabled, but is not allowed to check S_TCODE.
If the entry point for the user is the BAPI, then you should authorize S_RFC plus the application authorizations needed. S_TCODE is not needed even if functionally the same as IW22.
Cheers,
Julius