set up a VPN (Tailscale is quick and easy to set up and configure though there are other options as well)
deploy your own version of the openHAB Cloud Server on a VPS somewhere
set up and configure a reverse proxy which implements good authentication before reaching your OH instance.
The further down the list you go, the more work it is now and ongoing to keep it working and safe.
As far as I’m aware. without the “explicit user role” enabled, HABPanel cannot access the parts of the REST API it needs to work (i.e. the Items). But even if it could get HABPanel to work with the API token, you still should do one of the above. OH does not have enough built in security to be directly exposed to the Internet.