I think I have an idea for you. What if you add: style-src-attr: 'unsafe-inline', but you secure style-src, and script-src. In this way essentially you are saying: "No inline script tags, no inline style tags, I could have dynamic style attributes but it will come only from the scripts I already approved". I know it adds inline styles as well. For those you can generate sha-256 code and add it in your style-src directive. The only thing that is a problem in that approach is that you may have to update it if you change the styling of the banner.

I do not see an issue with that approach, do you think it is fine for you?