This may be a CORS issue and not a GoJS issue per se. We cannot control what the browser allows to render onto the canvas, we can only call the draw commands.
You may want to set the Picture.sourceCrossOrigin property to see if that makes a difference. You will probably want to set it to “use-credentials” but I don’t know the details of your setup.
$(go.Picture,
{ width: 64, height: 64 },
{ sourceCrossOrigin: function(pict) { return "use-credentials"; } },
new go.Binding("source", "path"))