As you mentioned you need to use PAT but in this way:
git push https://{PAT}@dev.azure.com/{organization}/{project}/_git/{repo-name}
Another solution is to “Allow scripts to access the OAuth token” in the job options:
In the git push use the System.AccessToken:
git push https://$env:[email protected]/......
And give push permissions to the build user (in the repo settings):