You could use domain: :all
option in your config.session_store and just have a before_action just as suggested by some in the comments.
So you'll still have the code in config/initializers/session_store.rb or in config/application.rb:
config.session_store :cookie_store, :key => '_domain_session', :domain => :all
Then in your application_controller add the following code:
#app/controllers/application_controller.rb
before_action :check_subdomain
def check_subdomain
unless request.subdomain == current_user.account.subdomain
redirect_to root_path, alert: "You are not authorized to access that subdomain."
end
end