Apparmor profile inside lxc container without changing lxc.apparmor.profile = generated to unconfined

I’m trying to limit php-fpm binary running inside lxc container, and i don’t want to change lxc.apparmor.profile to unconfined due to the security issues.

in generated mode when trying to enforce profile in lxc container i get this error
Permission denied; attempted to load a profile while confined?

is there anyway to enforce apparmor profile from lxc host to php-fpm running inside container?
base on config manual, there is an option (lxc.apparmor.raw) to append profile with generated mode, but i don’t know how to use it.

additional info: lxc-host: debian-bullseye and lxc-container: debian-bullseye (privileged), lxc installed from official debian repository.