I had the same problem but was able to resolve it by using a hash with
script-srcdirective lets developers whitelist a particular inline
script by specifying its hash as an allowed source of script.
Usage is straightforward. The server computes the hash of a particular
script block’s contents, and includes the base64 encoding of that
value in the
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-...4aQo=' https://*.googleapis.com">
Note that for dynamic applications it’s better to use a nonce.
Hope this helps!