Can you show dmesg and cat /var/log/snap/lxd/common/lxd/logs/lxd.log on an affected node?
Also showing lxc network show NAME --target NODE for one of the affected nodes may be useful.
It sounds like it may be the apparmor profile for dnsmasq getting in the way somehow.