At least one of the failures above refers to keyring which is a feature that systemd added recently which doesn’t work in containers and that it doesn’t detect properly…
The workaround for that which may unstick some of your units is:
lxc profile set default security.syscalls.blacklist "keyctl errno 38"
This effectively has the kernel pretend that the syscall systemd is doing simply doesn’t exist.