You’re right, it’s because by default, wp_handle_sideload() requires a valid extension in the URI in order to continue processing the sideload. That is, unless your role has a capability called ‘unfiltered_upload‘, which by default is only given to admins.
If it seems appropriate (and safe) for you to grant this capability to the user role that will be initiating the sideload, then you could do that:
if ( $role = get_role( $role_name ) ) $role->add_cap( 'unfiltered_upload' );
Run this once from your functions.php and then comment it out (because you only need to modify the roles in your DB once).
Note: I can’t say I truly recommend this approach, because it does peel away one layer of security from what is potentially the most dangerous thing a user can do on your site: upload a file. If you do this, make absolutely certain that you sanitize your image file before exposing it back to the user, and don’t give them a direct URL to the upload, otherwise they could upload any old webshell and you’re completely and totally hacked.
You have been warned.