Hi,

I think that depends if the patch also affect database engine binaries and/or AG database data or metadata. If only affects middleware (SharePoint binaries for example) or database engine binaries, you can use the passive first - failover after quorum majority - new passive machines approach, like an OS or SQL Server binaries patch. In that case you can suspend affected secondary replica and take cold snapshots. If affects database metadata, you can suspend AG replication from primary, take cold snapshot and then patch.

I hope that this helps.