The right way is to add the auth basic directives to the PHP location as nginx will only ever execute one location. So in your pasted config, if nginx gets a request for /passwordprotected/index.php then it won't be protected.

Of course, if you only want PHP files in that directory to be protected then you need a 2nd PHP location.