So it turns out the ou that I was trying to access didn’t have the 389ds ACIs that would allow anonymous binds, much less any other user to access entries in that ou.
The thing that tipped me off was running the query that was in /var/log/sssd/sssd_default.log after enabling debug_level = 9 (probably overkill) into the [sudo] section of /etc/sssd/sssd.conf.
I was able to get this working with the following ACI:
(targetattr="cn || objectClass || sudoCommand || sudoHost || sudoNotAfter || sudoNotBefore || sudoOption || sudoOrder || sudoRunAs || sudoRunAsGroup || sudoRunAsUser || sudoUser || description")(targetfilter="(objectClass=sudoRole)")(version 3.0; acl "Enable anyone sudoers rule read"; allow(read,search,compare) (userdn="ldap:///anyone");)
YMMV, but this appears to be working for me 