I'm having the same issue, with a more complex case: In my angular app, I use the attribute ngCspNonce for all inline scripts and styles. For analytics, I load a first script (gtm.js) from googletagmanager and send it the nonce with the help of the page https://developers.google.com/tag-platform/security/guides/csp?hl=en then gtm fires a call to onetrust script, automatically adding the nonce. Inside onetrust you must be sure that the option

Enabled Content Security Policy support If enabled, the polyfill allows us to add inline styles, style tags with a nonce are allowed by the CSP

is checked at the publishing stage (both for test and production). And it's actually working!! except for a little thing: the onetrust script adds a

<div style="display: none; visibility: hidden;">

which is of course blocked by csp and breaks the page style. I submitted a case for their support team and waiting for an answer.