I'll keep this short and sweet: On recent editions of debian linux distributions, you may have noticed that setting PasswordAuthentication no doesn't seem to have any effect when you set it.

That's because high up in the sshd_config file, there's a statement to include additional configs:

Include /etc/ssh/sshd_config.d/*.conf

Any settings pulled from this other area overrides conflicting statements in the main sshd_config file.

The solution? Specifically delete the 50-cloud-init.conf file and bounce sshd:

example@foo:~# sudrm /etc/ssh/sshd_config.d/50-cloud-init.conf
example@foo:~# sudo systemctl restart ssh