Have the V2 registry endpoints raise Unauthorized with the proper header when anonymous access is disabled

Before this change, we'd raise a generic 401, which was breaking containerd and cri-o.

Fixes https://jira.coreos.com/browse/QUAY-1332

test/registry/registry_tests.py

@@ -350,8 +350,12 @@ def test_pull_publicrepo_no_anonymous_access(pusher, puller, basic_images, lives
   with FeatureFlagValue('ANONYMOUS_ACCESS', False, registry_server_executor.on(liveserver)):
     # Attempt again to pull the (now public) repo anonymously, which should fail since
     # the feature flag for anonymous access is turned off.
+    options = ProtocolOptions()
+    options.attempt_pull_without_token = True
+
     puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-                expected_failure=Failures.ANONYMOUS_NOT_ALLOWED)
+                expected_failure=Failures.ANONYMOUS_NOT_ALLOWED,
+                options=options)
 
     # Using a non-public user should now succeed.
     puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,