I think https://github.com/matomo-org/matomo/blob/4.0.3/plugins/Widgetize/Controller.php#L36-L39 is not respecting the
enable_framed_allow_write_admin_token_auth setting @diosmosis ?
It should be maybe also using https://github.com/matomo-org/matomo/blob/4.0.3/core/API/Request.php#L461 when token_auth is not empty?
Technically, I think that code is not even needed in Widgetized controller as it's already done in Frontcontroller but it be generally maybe still good to simply call that existing method also (unless there's some reason not to call that method). Just to be sure it'll be executed in widgetized action no matter how it is executed.
I didn't actually test it. Only saw the code and it looks like this will be causing issues.