even if you have configured a gitlab-runner for gitlab-ci and the runner’s ssh keys or api keys are used to clone the repo into the runners environment, if the build is triggered by a person who is not the member of the project you will get below error.

fatal: remote origin already exists.
 Clean repository
 remote: You are not allowed to download code from this project.
 fatal: unable to access 'https://gitlab-ci-token:[MASKED]@example.gitlab.com/project.git/': The requested URL returned error: 403
 ERROR: Job failed: exit code 1

The error is slightly miss leading as it says gitlab-ci-token in it, but it is occurred due to the triggering entity not being member of the project. Even if the person who triggered the project has owner access in Gitlab and is not a member of the project, you will still see this error.