This is doable while using OAuth and I think you are close. Take a look at the Implementing web embed interfaces challenge in the Pega Platform Design > Lead System Architect mission. The mission uses an activity called AuthenticateMashup which has the base steps (operatorPage steppage steps) and maps the client id to a operator record as the pattern but be sure to secure and harden based on your requirements.
Grant Type = Customer Bearer
Check Custom bearer and add your Authentication activity in the OAuth 2.0 record
Update your OAuth Service Package
Add your operator record(s) you defined in the Authentication activity
Test your WebEmbed
I just tried this myself and it worked. Hope this helps with your use case.
As mentioned in this thread, true Anonymous authentication as offered for Traditional Pega applications, where a unique operator is provisioned for each new access, is not yet available for Constellation apps. However, you might “simulate” anonymous access by creating an operator record for use for all simulated anonymous accesses. Please see the bottom of this doc page for additional caveats with such an approach: Authentication in Web Embeds
Also, within the custom bearer activity or web ldap custom authentication service activity one might implement a copying of such a designated template anonymous operator record and devise a way to always make the operator ids unique to better simulate what is done within the Pega Authentication Service of type Anonymous. This path would be more complex as you would also need to manage what happens when the access token expires and a new full reauthentication is needed and any type of maintenance done to these created unique temporary operator id records.