The jira ticket was a bit misleading.
sonar.pullrequest.vsts.token.secured is handled as internal property
see this thread
https://community.sonarsource.com/t/sonarcloud-pr-decoration-on-azure-devops-pull-requests/19007
but maybe it’s possible to set it via web api inside your build.