Cannot retrieve private project avatar - broken for about 1 year

The current endpoint that serves project avatars and maybe other assets, does not acknowledge a provided private access token, so it assumes the request is not authorized and always responds with the HTML of the sign in/up page.

Steps to reproduce:

1. Make a private repository
2. Upload an avatar
3. Run a GET request on the avatars URL (https://gitlab.com/uploads/-/system/project/avatar/[project_id]/[file_name]) using Postman
4. Observe that the sign in/up page HTML is returned. This is ok though, because we are not authorized yet.
5. Create a personal access token
6. Provide it as shown here and try again
7. Observe that we are still not authorized to GET the image. <- Problem
8. Make the private repository public
9. Try again, observe that the image is now shown.

Conclusion: Private access tokens and perhaps other forms of authentication is not acknowledged by your static assets endpoint. Only cookie based authentication is acknowledged.

I've known that the LabCoat Android app stopped showing repository images about a year ago, I assumed it was an error by the developer @Jawnnypoo, today I have discovered that is not the case.