Can't fetch a private project avatar/badge anymore with a private_token

Summary

Project avatars for private projects can't be fetched when you're not logged in. Before, you could still access a project avatar supplying a ?private_token= like so:

https://gitlab.com/uploads/-/system/project/avatar/---project-id---/---image---.png?private_token=---personal-access-token---

Using a personal access token with read_repository permission, allowed you to fetch the image. This doesn't work anymore.

Note: This was working with version 11.5.0, and it broke with the security updates in 11.5.1

Same goes for project badges.

Why

My project CIMonitor is showing a list of all pipelines/builds, using the project.avatar_url pushed by a GitLab webhook. This is super awesome, except that nobody can access images for private projects.

Steps to reproduce / current bug behavior

1. Copy the link of a project avatar for a private project
2. Open the avatar in an incognito window, see that you need to log in first
3. Add ?private_token=personal-access-token to the image URL, replacing the personal-access-token for an actual personal access token with read_repository permission. Note: That user MUST have read access to the project!
4. See that you still can't access the image

What is the expected correct behavior?

1. Copy the link of a project avatar for a private project
2. Open the avatar in an incognito window, see that you need to log in first
3. Add ?private_token=personal-access-token to the image url, replacing the personal-access-token for an actual personal access token with read_repository permission. Note: That user MUST have read access to the project!
4. See that you can view the image