This works for me, notice the trailing slash, and the r rather than rw (as QEMU is opening the directory in read-only mode as intended).
lxc config device set <instance> <disk> readonly=true
printf "/var/lib/snapd/hostfs/srv/ r," | lxc config set <instance> raw.apparmor -
lxc start <instance>