Authenticate submodule in a different GitLab org

At my work we have 2 Gitlab orgs, A and B. In org A there is a repository which has a submodule which I’d like to point to a repository in org B but I don’t know how to make the authentication work when our Gitlab Runner tries to do its thing. How can I let that runner authenticate? Below is the error

Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.

Is this two different top-level groups on the same instance, or completely separate GitLab instances?

This answer in How do I pass credentials to pull a submodule in a Gitlab CI script? - Stack Overflow highlights the usage of CI_JOB_TOKEN which should work out-of-the-box for same instance, different groups.

variables:
  GIT_SUBMODULE_STRATEGY: recursive

build:
  script:
    # just assume submodule is available and build your stuff here
    - ...

It requires allowing the downstream project A in the job token allowlist in the upstream project B. This should also work with private repository clones.

Add the SSH key used by the GitLab runner is add to the submodule repository in the OrgB as a deploy or SSH key. This enable the GitLab runner to authenticate and access the submodule repository during the CI/CD process.