We’re experiencing this issue as well, and not upgrading to Bitbucket 9 was not really an option for us. After some digging, I believe I understand the problem. As part of the Bitbucket connection validation, SonarQube attempts to validate the URL by calling the Search for repositories Bitbucket REST endpoint. Previous versions of Bitbucket would return a 200 to anonymous requests to this endpoint. In BBDC version 9.x, however, it returns a 401. This causes the misleading Invalid personal access token message to be shown.
A solution on the SonarQube side could be to change the validate URL to /status, rather than /rest/api/1.0/repos.
I’ve also opened a ticket with Atlassian to determine whether this change is intentional, as their REST API documentation still suggests the repos endpoint can handle anonymous requests. I will try to report back here if/when I hear from them.