CORS API requests from Wikipedia to Commons may now use the "centralauthtoken" API parameter (implemented in Gerrit change 57662) to bypass the not-logged-in issues raised. This was merged on May 30 and therefore has probably deployed since 1.22wmf6. It appears that MobileFrontend has the ability to use this since Gerrit change 67867.
The SUL2 work which will be deployed soon should improve the situation for web UI accesses, too. The "login handshake" hack mentioned here can probably be removed.