To pull from private registries an additional step is required. You must configure the Kubelet to use the SOCI snapshotter as an image service proxy. This is explained in more detail in the SOCI docs. An example config patch:
machine:
kubelet:
extraConfig:
imageServiceEndpoint: unix:///var/run/soci-snapshotter/soci-snapshotter-grpc.sock