@devve I actually had a similar problem and that’s why I have found your question. I’m also still rather new to security and Kafka, but here is what I have found and what works for me.
I have tried the same with CONTROLLER:SASL_PLAINTEXT but was not able to make it work. Think I got further than you, the problem you face is that the default sasl.mechanism is GSSAPI. In my case the problem I got is the same mentioned here: Self-hosted Kafka with KRaft, SSL and SASL (scram-sha-256). As you can see in my answer, I switched to PLAINTEXT on the CONTROLLER, the same you had initially. With that setting, I got the same problem you had in your first try.
I guess the reason why the ANONYMOUS user is used, is that using PLAINTEXT on the controller, no authentication is necessary and therefore no user is available. I managed to get around the error my adding the ANONYMOUS user to the list or super users.
KAFKA_SUPER_USERS: User:broker;User:ANONYMOUS