OK. It seems I need to learn more about nf_tables.
Meanwhile, to solve snap’s apparent disagreement with debian’s defaults, I solved this with
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
Rebooted, and the container gets it’s IP.
Cheers.