I'm not sure what's wrong, lots of moving parts. Here's something you might like, but may not address the embedded problem you have.
I like this technique instead of grating execute to a procedure.
Instead of calling the package to get the PDF you call an APEX page:
htp.p('<div style="">'); htp.p('<embed height="550px" width="450px" name="statement" '); htp.p(' src="f?p=&APP_ID.:200:&SESSION.::::P200_ID:'|| :P7_PLUG_ID||'"'); htp.p(' type="application/pdf" />'); htp.p('</div>');
Here p200 is used for downloading the PDF. The page only has a "Generate PDF Download" process "On Load: Before Header"
The code something like this:
WS_RENDER_PDF_INSTRUCTIONS(p_plug_id => :P200_ID); apex_application.stop_apex_engine;
You make sure you do your owa_util.mime_header call in the package and download the PDF (or any blob really).
I like this because no grants are needed. PLUS APEX security still applies. ONLY those authenticated to the app can run p200, plus you can add Authorization Schemes to the page.
I do se the template of the page to something simple like PopUp page, BUT it doesn't matter because the page template never downloads. The stop_apex_engine call takes care of that.
Hope this helps.
Ahh, I've seen that technique before - this is a great implementation of it - thanks Jorge!