Why does accessing Jira custom project avatars return 403?

We have an app that fetches a list of Jira projects via OAuth 2 (3LO) from REST API v2 ( via GET /rest/api/2/project/search) and renders them in a third-party application.

We use project.avatarUrls["24x24"] from the result to render the project avatars. Strangely, for Jira built-in avatars this works without any issues, however, for projects with custom avatars (image uploaded by us) the URLs return 403.

URLs look like this:

This does not work:
https://api.atlassian.com/ex/jira/63790a21-b73c-46b8-ba3c-e34cbbb97cd8/secure/projectavatar?size=small&s=small&pid=10005&avatarId=10524

Here it works:
https://api.atlassian.com/ex/jira/63790a21-b73c-46b8-ba3c-e34cbbb97cd8/secure/projectavatar?size=small&s=small&pid=10009&avatarId=10499

Does anyone have an idea how to fix this? It seems custom avatars are not made publicly accessible.