For the general information of people that may stumble upon this topic, the GitLab API seems to only support token identification through headers at this point supports downloading file with authentication. I use this with a self hosted gitlab instance using API v4.
my artifact has its source url as
url = "<gitlab instance>/api/v<version>/projects/<project id>/repository/files/<path to file in repo with escaped special characters>/raw?ref=master&lfs=true&private_token=<project token>"
so that a user has no need to be authenticated to pull the artifact.
That of course works only if there is not too much security control there. If a user-by-user authentication must be used, I don’t think it is possible at the moment.