Hi,
These are your best options. Having a bogus or expired organization-level PAT will indeed block PR decoration. It will also prevent you from importing addition repositories as your company bootstraps new projects. (You could, of course, swap in a valid PAT briefly when you need to set up new projects, and then swap it back out when you’re done.)
Note that it should be possible to script deactivation of PR decoration at the project level with the APIs. The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.
You may also find this guide helpful.
HTH,
Ann