Elijah. There's two separate questions here:
1. Is DTC supported with AlwaysOn Availability Groups?
You're using SQL Server 2012, and according to Microsoft's Documentation, that answer is no. I totally understand that you want to try it anyway, but keep in mind that you're now putting something into production that Microsoft simply will not support, AND you're using two separate niche features together (AGs and DTC). If anything whatsoever goes wrong, you're going to be in a world of hurt. This just isn't something I'd ever even think about trying in production.
Keep in mind that if your managers find out that you deployed something Microsoft specifically says in big letters, "YOU CAN'T DO THIS," and you have any kind of outage where you have to call Microsoft for support, you're going to have some ugly explaining to do.
Technically, DTC is supported starting with SQL Server 2016 SP2 and later, but it just means that you can pick which database loses data on failover, and the application has no idea data was permanently lost. That's not what a normal database administrator would call DTC support.
2. How should DTC be configured in a multi-node, multi-subnet cluster?
Read Allan Hirt's post on configuring DTC with multiple instances of SQL Server in a cluster, and make sure to read all of the links in the post as well.
Best Answer
The more features you turn on, the greater the risk. The Linux community openly says to turn features off if you don't need them. Microsoft has a Windows Server 2012 core mode:
Install Server Roles and Features on a Server Core Server
I don't see DTC on the list. There are good practices, but if there is a business need I turn it on. I always say the right tool for the right job. But you can change the default port for DTC, if you do this hacker scanning tools won't find it.
How to Configure MSDTC to Use a Specific Port in Windows Server 2012/2012R2
I have worked at banks that change the default port of all the SQL Servers. In some cases, each server had a port in a range of 100 and all the firewalls let that group through. It is a support nightmare, but it is VERY secure.