Resubmit is not an entitle-able action, because it's not a day 2 operation. It's by design that it's available to everyone for all requests. It's working as designed.
As a workaround, you could create an approval workflow to block the invalid submissions. You could accomplish this by creating an approval policy with approval required based on the condition "requested by does not equal (the vRO service user)" and setting the approver to use event subscription and write a workflow that automatically rejects all such requests. This should effectively block the unwanted re-submissions.