How to configure build using private container

Have been using container builds using the teamcity-agent container in container method with good success for nearly a year.  I have been using a small collection of 6 or so containers hosted on quay.io.

I now have a container that contains some licensed software, so I need it to be a private repository (my first private repository).

In the Build Step dialog "Run step within Docker container" I have confirmed that the entry is correct by setting the container's repository to "Public", and the container is pulled and is able to respond to basic commands entered in the Custom script dialog. 

However, when I set the repository to private, TeamCity builds fail, with the following message in the build log.

unauthorized: access to the requested resource is not authorized

Quay provides the ability to setup "Robot Accounts" for automated access, which seemed like the correct approach for this task, and I have confirmed that I can pull the image on a local VM by first logging into quay.io using:

podman login -u"robot-name" -p"gigantic robot hash" quay.io

I tried creating Connections using both the robot credentials, and also the user credentials that I normally use to push & pull containers from our quay repository, with no success.

I also tried adding the -u"" and -p"" parameters to the "Additional docker run arguments" dialog in the Build Step, also with no success.

Also tried enabling "Pull image explicitely", no luck.

Quay.io also provides .yml & .json configuration files for Kubernetes & Docker configurations, but I haven't found a way to use them so that TeamCity is able to utilize the private container image.

Surely I'm not the first one to need to do this, so I'm confident it's possible but just haven't found documentation to point me to the solution.

Thank you in advance for assistance.