So it turns out the way to do this is using the proxy device, which also avoids any issues with file ID shifting too.
e.g.
devices:
lxdsocket:
bind: container
connect: unix:/var/snap/lxd/common/lxd/unix.socket
listen: unix:/root/lxd.socket
type: proxy
Then inside the container:
LXD_SOCKET=/root/lxd.socket lxc ls
Based on the excellent guide here How to manage LXD from within one of its containers – Mi blog lah!