After so much research, I came up with a solution for this issue.

Note: There is no supporting document for api.fileDownload( to use OAuth-token.

So i tried using XMLHttpRequest and it worked fine.

SOLUTION

    var request = new XMLHttpRequest();
    request.open('GET', api.buildURL("YOURMODULE/" + model.get("id") + "/pdf/download"), true);
    request.setRequestHeader('OAuth-Token', api.getOAuthToken()); // UR TOKEN
    request.responseType = "blob";
    request.onload = function (e) {
        if (this.status === 200) {
            // `blob` response
            // create `objectURL` of `this.response` : `.pdf` as `Blob`
            var file = window.URL.createObjectURL(this.response);
            var a = document.createElement("a");
            a.href = file;
            /*request.onreadystatechange = function() {
              if(this.readyState == this.HEADERS_RECEIVED) {
                console.log(request.getResponseHeader("Content-Type"));
              }
            }*/

            a.download =  request.getResponseHeader("FileName");
            document.body.appendChild(a);
            a.click();
            document.body.removeChild(a);
        };
    };
    request.send();

Check this thread may be in future there may be updates: https://community.sugarcrm.com/message/90474-re-sugarcrm-filedownload-error-after-upgrade?commentID=90474#comment-90474

I've never used (or heard of) SugarCRM but it seems you need to move your authing token from the url to the HTTP-header. Exactly how to set a header in the built in function call to api.fileDownload() is hard to say (and cant find a single document online describing the function). But the idea is to remove the token from the url and then most likely send the header as some sort of parameter:

api.fileDownload(api.buildURL("Quotes/" + model.get("id") + "/pdf/download"), {
http-header: "OAuth-Token = " +api.getOAuthToken(),
    success: function() {
        app.alert.show("pdf_download_api_success", {
            level: "success",
            messages: SUGAR.language.get('Quotes', 'LBL_QUOTE_PDF_GENERATED'),
            autoClose: true
        });
    },});

Another way would be to simply change the settings as described in the URL you posted:

"If you want to enable this feature again, then you can use a new SugarConfig setting called allow_oauth_via_get. When the config setting is true, this will permit the oauth_token URL parameter to be used to pass access tokens."

EDIT: So I believe I found the .js file at https://github.com/askhogan/sugarcrm/blob/master/index.js

At the bottom om the function fileDownload():

// ping to make sure we have our token, then make an iframe and download away return this.call('read', this.buildURL('ping'), {}, internalCallbacks, {processData: false});

Have you tried removing the token part completely and just hope that the library will handle the authenticating with the help of cookies?

Apart from that, the function doesnt seem to have an option to set any header-fields (only option it seems to read is the iframe option which doesnt seem to help you).