Can you show systemctl cat systemd-networkd?
We have a bunch of extra logic and workarounds for things like that in Incus and have daily tests confirming those images work fine, so the same should be repeatable with LXC, just needs a bit more work 
I expect that in this case the issue is likely with apparmor. You could give a try to:
lxc.apparmor.profile = generated
If that alone doesn’t help, then also add:
lxc.apparmor.allow_nesting = 1
That latter one isn’t advisable for a privileged container but should be perfectly fine for unprivileged and actually pretty close to Incus’ default behavior.