Why are protected CI variables inaccessible in merge requests from one protected branch to another in a private repo?

When I create CI variables for checking out private repos with HTTPS, I am able to use them while cloning on the command line, so the variables are correct. If I mark the CI variables as unprotected, then CI jobs for merge requests also succeed in manually cloning the repos with those access tokens. This is with the ‘dev’ and ‘main’ branches protected, and the merge request coming in from ‘dev’ and targeting ‘main’. The ‘dev’ branch allows both developers and maintainers to merge, and push and merge. The tokens themselves provide developer-level reading of private repos.

However, if I set the variables to be protected (and I keep the ‘dev’ branch marked as protected) the merge request fails to use the token to check out the git repo.

I’m running a self-hosted GitLab instance, version 16.7.4.

---
image: ubuntu:focal

variables:
  GIT_STRATEGY: none
  GIT_CHECKOUT: "false"
  GITLAB_INSTANCE: "example.com"

stages:
  - test

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

test:
  stage: test
  script:

    - apt-get update
    - DEBIAN_FRONTEND=noninteractive apt-get -y install git
    - git clone https://gitlab-ci-token:$MY_CHECKOUT_TOKEN@$GITLAB_INSTANCE/foo/bar.git

    - echo "more commands..."
$ git clone https://gitlab-ci-token:$MY_CHECKOUT_TOKEN@$GITLAB_INSTANCE/foo/bar.git             Cloning into 'bar'...
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://example.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'https://example.com/foo/bar.git/'
Cleaning up project directory and file based variables

I noticed that CI jobs are not created automatically for the ‘dev’ branch, due to my CI configuration, which targets the default branch, but not other protected branches, so commits to ‘dev’ outside of a merge request neither succeed nor fail. Could it be that I need to enable CI jobs for ‘dev’ in the .gitlab-ci.yml file, or is there some other configuration issue that I’m running into?

Thanks for your help. : )