It is a known bug (which could also mean that it will not be possible anymore in the future):
You should subscribe to the bugs and wait.
Update: You can make it work by adding an
access_token to the API call, but you should only do that server side, of course. An App Access Token should be good enough:
Update 20.04.2018: It seems like picture URLs are working without an Access Token again:
<img src="https://graph.facebook.com/[app-scoped-id]/picture" />