Safari CSP ignores nonce and unsafe-inline
Okay I solved this:
In my experience and from testing here: You can't have an enforced and a report only CSP at the same time with Safari, it seems to mix policies up between them and report violations for non violating items.
Remove one of the CSP directives and either send a Report only or an enforced and it'll start working as intended.
Edit (16th March 2022) : Safari now fails to load completely if you have both a read only and an enforced CSP policy. The webkit bug has remained completely idle since this was first logged so we've had to remove the read only CSP to get Safari to work at all.
If anyone has contact at Webkit I'd really appreciate someone shining a light on this to try and get Webkit to actually work like a browser instead of the new IE6 again.