Due to recent change (introduced by JENKINS-70729 -> MR) released in Jenkins v2.403, the http[s]://<server>/cloud/ end-point is newly guarded by Overall/SystemRead permission (here) and Node Sharing plugin REST API is hard affected by that change.

Unfortunately Overall/SystemRead isn't available and not manageable from UI by-default (details).

To let the code base of this plugin untouched, at least Overall/SystemRead is necessary to grant to the plugin (or role) on Executor side, I'm afraid similar situation might be on Orchestrator side as well. This part needs to be documented on plugin documentation.

Not sure if above is acceptable viable long-term solution, other possible way might be to use UnprotectedRootAction and move REST API end-point away from http[s]://<server>/cloud/nodesharing.... to elsewhere (e.g. http[s]://<server>/nodesharing...) - unfortunately introduces backward compatibility headache etc..