There is a work around. We use it in the Kroxylicious project. The work around is clunky but it works.
The basic scheme is to run the actual Sonar scan in the project rather than PR context (i’m not sure what the proper GitHub terminology is). To do that our PR build uploads a text file containing the PR number. We then have a dependent build job which pulls that down, and then checkouts the PR and runs the sonar scan on that.
The dependent build is our sonar.yaml and you can find the PR upload in this snippet.
HTH