Until these snapd/snap limitations are lifted/fixed the following flow based on snapcraft export-login can be used to download snaps that require authorized access, this is an example with snap download but the same applies to ubuntu-image/snap prepare-image:
$ snap download test-snapd-private
Fetching snap "test-snapd-private"
error: cannot find snap "test-snapd-private": snap not found
$ snapcraft export-login --acls package_access p.login
Enter your Ubuntu One e-mail address and password.
If you do not have an Ubuntu One account, you can create one at https://dashboard.snapcraft.io/openid/login
Email: testdev@canonical.com
Password:
We strongly recommend enabling multi-factor authentication: https://help.ubuntu.com/community/SSO/FAQs/2FA
Login successfully exported to 'p.login'. This file can now be used with
'snapcraft login --with p.login' to log in to this account with no password
and have these capabilities:
snaps: No restriction
channels: No restriction
permissions: ['package_access']
This exported login is not encrypted. Do not commit it to version control!
$ UBUNTU_STORE_AUTH_DATA_FILENAME=p.login snap download test-snapd-private
Fetching snap "test-snapd-private"
Fetching assertions for "test-snapd-private"
Notice the requirement to pass --acls package_access to export-login, otherwise its default is for upload access which is different, would not cover downloading.
Be of course careful with the login files as they contain obviously authorisation secrets.