Why does accessing Jira custom project avatars return 403?

We have an app that fetches a list of Jira projects via OAuth 2 (3LO) from REST API v2 ( via GET /rest/api/2/project/search) and renders them in a third-party application.

We use project.avatarUrls["24x24"] from the result to render the project avatars. Strangely, for Jira built-in avatars this works without any issues, however, for projects with custom avatars (image uploaded by us) the URLs return 403.

URLs look like this:

This does not work:

Here it works:

Does anyone have an idea how to fix this? It seems custom avatars are not made publicly accessible.