thanks for reaching out with this problem to access project badges on public projects.
Indeed there is a limitation when the SonarQube instance is set with ‘Force User Authentication’ (sonar.forceAuthentication). I guess this would be the case for your SonarQube as this is the default and recommended setup.
On such SonarQube instances, setting the project visibility to “public” provides any authenticated user the Read and Browse permissions for it (Browse is needed by this API endpoint), but anonymous calls are still rejected.
We might be able to improve this as part of MMF-1942, feel free to watch this ticket and/or vote for it.
Unfortunately I don’t have any easy solution for your problem today. I can’t recommend you to turn off the ‘Force User Authentication’ security setting and I did not find in gitlab documentation any hint about how to configure (and secure) a token for the authentication of these requests to SonarQube.
If you find something, please don’t hesitate to share any tip here.