Release asset links on private projects cannot be downloaded with a token

I've tried downloading the Release Assets for a private project using Project Access Tokens, Personal Tokens and Deploy Tokens and have been unable to retrieve the assets.

1. I've tried using username/password for project access tokens and deploy tokens, ?private_token=.... query string parameters and Private-Token headers.
2. I've experimented with different scope levels
3. Instead of responding with content, the user-agent is redirected to the login page: /users/sign_in
4. The access tokens work on the API and can be used to query versions, etc but fail to download the actual asset.

Example

$ export PRIVATE_TOKEN=<REDACTED PRIVATE ACCESS TOKEN>
$ curl --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" https://gitlab.com/api/v4/projects/29833081/releases|jq '.[0].assets.links[0].url'
"https://gitlab.com/<REDACTED>/uploads/0d16c49454e32bc26809a1c5f3622950/checksums.txt"
$ curl --header "PRIVATE-TOKEN: $PRIVATE_TOKEN" "https://gitlab.com/<REDACTED>/uploads/0d16c49454e32bc26809a1c5f3622950/checksums.txt"
<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>

I've also tried using the direct_asset_url, instead the url, without luck.

Note that it's possible to download the source tarballs, but not the linked files.